APD/GBA (Belgium) - 07/2024
APD/GBA - 07/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 6(1)(f) GDPR Article 12 GDPR Article 14 GDPR Article 15(1)(c) GDPR Article 15(1)(g) GDPR Article 15(3) GDPR Article 24(1) GDPR Article 25 GDPR Article 30(1)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 174,640 EUR |
Parties: | Black Tiger Belgium |
National Case Number/Name: | 07/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | Gegevensbeschermingsautoriteit (in NL) |
Initial Contributor: | ar |
The Belgian DPA fined a data broker €174,640. The controller was found to have breached several GDPR articles due to its unlawful processing of personal data collected indirectly.
English Summary
Facts
On 23 October 2020 and 27 November 2020, two complainants submitted two separate access requests under Article 15 GDPR to Bisnode Belgium, a direct marketing and data specialist company, which was subsequently taken over by the French Black Tiger Group and renamed Black Tiger Belgium (the controller).
On 13 November 2020 and 23 December 2020, they both received a reply to their requests by the controller via post. The letter provided further explanation of the personal data processed, including a summary of the categories of personal data, categories of recipients, the processing purposes and the legal basis, which was legitimate interest, under Article 6(1)(f) GDPR.
Following the information provided, on 28 January 2021, the complainants filed a joint complaint with the DPA against the controller. The complainants complained that the controller, as a data broker, processed a large number of their personal data without their knowledge and prior consent, violating Article 13 or 14 GDPR. They also affirmed that a large amount of data was sent to various parties and resold to third parties for commercial purposes. The complainants also pointed out that some of the personal data were more than 15 years old and, therefore, incorrect. In addition, the complainants believed that the controller applied profiling to their personal data before selling the profile data. Lastly, they claimed that the controller breached Article 12(3) GDPR by providing the requested information on paper.
On 22 March 2021, the Disputes Chamber of the DPA requested the Inspection Service to investigate the matter, and the parties were heard in front of the Dispute Chamber on 22 February 2023.
Holding
Following the information provided, the Belgian DPA found several GDPR infringements, mainly to be divided into three sections.
• Unlawful and unfair processing of personal data. The DPA concluded an infringement of Article 6(1)(f) GDPR since the controller did not properly demonstrate that its interests, supplying the personal data to its customers and maintaining updated records of the data subjects, would outweigh the interests and fundamental rights of the data subjects involved. Additionally, the DPA noted that the controller processed different types of data, raising the question: to what extent all these personal data were systematically necessary for the representation of the intended interests under Article 5(1)(c) GDPR. Moreover, the DPA brought into question the storage limitation of the data processed under Article 5(1)(e) GDPR since the controller stated to keep personal data in its databases for 15 years from the last entry. Moreover, the DPA found a breach of Articles 12 and 14 GDPR as the controller failed to inform the complainants in a timely and individual manner even though the controller had the contact details of the majority of those involved. It further found that, at the time of the investigation, the privacy statement for consumers was incomplete. Thus, the DPA found that the controller infringed Article 14 GDPR. Additionally, the DPA found that there can be no doubt that the controller should be held responsible for the processing activities that took place before the acquisition of Bisnode Belgium by the controller, even after the name change. This is because, with the transition, the responsibility and decision-making power over the means and purposes of personal data processing. The DPA noted that Articles 5(2) and 24 GDPR provide general accountability and compliance requirements with the general principles to controllers. Since the controller was unable to demonstrate that the contested data processing operations were compliant with the GDPR, the DPA considered the infringement of Article 5, Article 24(1), as well as Articles 25(1) and (2) GDPR.
• Secondly, the DPA established that both complainants received a reply from the controller by post, although their original access requests were made electronically. Article 15(3) GDPR states that when the data subject submits his request electronically and does not request any other arrangement, the information must be provided in a common electronic form. Moreover, by giving a reply by post, the controller made it difficult for the complainants to reply to the letter with a follow-up request. Thus, the controller violated Articles 12(1) and (2) GDPR since the controller did not facilitate the complainants’ rights, as well as Article 12(3) in conjunction with Article 15(3) GDPR. Furthermore, the DPA stated that the controller infringed Article 15(1)(g) GDPR due to not communicating to the complainants all available information on the sources from which it received their personal data. By mentioning the CJEU case Österreichische Post of the Court of Justice (HvJEU, 12 januari 2023, C-154/21, RW t. Österreichische Post), the DPA further noted that controllers are required to provide data subjects with the identity of the recipients to whom personal data are or will be provided. Only when it is not possible to identify these recipients the controller is allowed to limit the information to the relevant categories of recipients. In this way, if needed, a complainant could exercise their rights directly with these recipients. Given the foregoing, the controller infringed Article 15(1)(c) GDPR.
• Lastly, the DPA noted that the submitted register of processing activities by the controller only indicated the categories of data subjects without more details. Meanwhile, Article 30(1)(c) GDPR explicitly requires the register to include a description of the categories of data subjects and the categories of personal data. Consequently, the controller infringed Article 30(1)(c) GDPR.
Taking into consideration the above-mentioned infringements, the DPA issued a fine on the controller of €174,640.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/114 Dispute Chamber Decision on the merits 07/2024 of 16 January 2024 File number: DOS-2021-01224 Subject: Complaint regarding unlawful processing and commercialization of personal data by a data broker The Disputes Chamber of the Data Protection Authority (hereinafter, GBA), composed of Mr Hielke Hijmans, chairman, and Mr Dirk Van Der Kelen and Yves Poullet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and to the revocation of Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR; Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG; In view of the internal rules of order, as approved by the House of Representatives Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019; Considering the documents in the file; Has made the following decision regarding: Complainants: [X], [...], hereinafter “the complainants”, represented by [...], with social registered office in [...], registered with the Crossroads Bank for Enterprises under the number [...]. The defendant: BLACK TIGER BELGIUM (former BISNODE BELGIUM NV), with social registered office in [...], registered with the Crossroads Bank for Enterprises under the number [...], hereinafter “the defendant”, represented by masters DOCQUIR and CORNETTE, with offices in [...]. Decision on the merits 07/2024 - 2/114 I. Facts and procedure 3 II. Justification 9 II.1. Competence of the Belgian Data Protection Authority 9 II.2. Description of the disputed processing activities by the defendant 11 II.2.1. Processing responsibility 12 II.2.2. Data processing 14 II.3. Lawfulness of the processing (Article 5.1.a) and 5.2, as well as Article 6.1 GDPR) 16 II.3.1. Position of the Inspection Service 16 II.3.2. Position of the parties 16 II.3.3. Judgment of the Disputes Chamber 28 II.4. Transparency towards those involved (Article 12.1, Article 13.1 and 13.2, Article 14.1 and 14.2, Article 5.2, Article 24.1, and Article 25.1 GDPR) 57 II.4.1. Position of the Inspection Service 57 II.4.2. Position of the parties 57 II.4.3. Judgment of the Disputes Chamber 59 II.5. Handling requests from data subjects to exercise their rights (Article 12.1 and 12.2, Article 15.1, Article 5.2, Article 24.1, and Article 25.1 GDPR) 68 II.5.1. Position of the Inspection Service 68 II.5.2. Position of the parties 68 II.5.3. Judgment of the Disputes Chamber 71 II.6. Use of cookies on the defendant's websites (Article 4.11), Article 5.1.a) and 5.2, Article 6.1.a), as well as Article 7.1 and 7.3 GDPR) 76 II.6.1. Position of the Inspection Service 76 II.6.2. Position of the defendant 76 II.6.3. Judgment of the Disputes Chamber 77 II.7. Accountability of the defendant (Article 5.2, Article 24.1, as well as Article 25.1 and 25.2 GDPR) 77 II.7.1. Position of the Inspection Service 77 II.7.2. Position of the defendant 78 II.7.3. Judgment of the Disputes Chamber 79 II.8. Register of processing activities (Article 30.1, 30.2, and 30.3 GDPR) 81 II.8.1. Position of the Inspection Service 81 II.8.2. Position of the defendant 81 II.8.3. Judgment of the Disputes Chamber 82 II.9. Involvement of the DPO (Article 38.1 and Article 39.1 GDPR) 83 II.9.1. Position of the Inspection Service 83 II.9.2. Position of the defendant 84 II.9.3. Judgment of the Disputes Chamber 84 II.10. Additional considerations regarding the inspection report 85 III. Sanctions and corrective measures 87 III.1. Established infringements 87 III.2. Measures imposed by the Disputes Chamber 89 III.2.1.Corrective measures to bring processing into compliance with GDPR 89 III.2.2.Administrative fines 91 III.3. Other grievances 112 IV. Publication of the decision 112 Decision on the merits 07/2024 - 3/114 I. Facts and procedure 1. The subject of the complaint concerns the alleged unlawful processing and commercialization of personal data of the complainants by the former NV 1 B ISNODE BELGIUM, now known as “B LACK TIGERB ELGIUM”. 2. B ISNODE BELGIUM is, in its own words, a direct marketing and big data specialist that already... has been active on the B2B market in Belgium for several decades. This was for several years company active in the field of data broking (broker in data), where B ISNODE B ELGIUM purchased data from sources and processed this data for account of its customers, who themselves carried out direct marketing activities, either for companies, either for private individuals or consumers. 3. On October 23, 2020 and on November 27, 2020, the two complainants must, each separately, submit a request to the defendant, to exercise their right of access accordingly Article 15 GDPR. 4. On November 13, 2020 and December 23, 2020, they will each receive an answer to their request. Both responses are sent by regular mail by the defendant, and provide further explanation about the various files in which the personal data of the complainants are included or not, as well as a summary of the categories of personal data available to the defendant, the processing purposes and the legal basis (Article 6.1.f) GDPR). Furthermore, the defendant provides a list “of the (potentially) involved sectors” within which companies are active that may be may receive personal data of the complainants from the defendant. The defendant then clarifies that the complainants' personal data will be kept for 15 years from the last registration is kept in its database, and lists the sources of the personal data in the consumer file [the Z8 company] resp. It company database (Belgian Official Gazette and Crossroads Bank for Enterprises). Also the defendant emphasizes that he does not use automated decision-making, but assesses the so-called “marketing potential” of those involved for each user to create a marketing segmentation profile. The defendant states also that he, or “one of his customers”, “includes” the personal data of the complainants certain cases” to countries outside the EEA. Finally, the defendant to the complainants the opportunity to exercise their other rights and more Information about this can be consulted on the website www.bisnodeenu.be as well as on the website www.bisnodeenu.be possibility to file a complaint with the Data Protection Authority. 1See edge no. 36 in this decision. 2Conclusions of the defendant dated March 7, 2022, p. 2. Decision on the merits 07/2024 - 4/114 5. On January 28, 2021, the complainants will submit a joint complaint to the Data Protection Authority, against the defendant. The complainants complain about it that as a data broker it processes a large number of their data, but without their knowledge, and therefore in violation of Article 13 or 14 GDPR, nor the preceding consent. According to the complainants, these data were held by different parties purchased, if necessary enriched, and then resold to third parties for commercial purposes.The complainants also object to the fact that some personal data are more than 15 years old, and are therefore incorrect. In addition, the complainants believe that the defendant applies profiling to their data before passing on this profile data to sell. In conclusion, the complainants state that the defendant has Article 12.3 GDPR violated by providing the requested information on paper while exercising of their rights by data subjects necessarily had to be done electronically to happen. 6. On March 15, 2021, the complaint will be declared admissible by the First Line Service on the grounds of Articles 58 and 60 WOG and the complaint is filed on the basis of Article 62, § 1 WOG transferred to the Disputes Chamber. 7. On March 22, 2021, the Disputes Chamber will decide on the basis of Articles 63, 2° and 94, 1° WOG to request an investigation from the Inspection Service. 8. On March 24, 2021, the request from the Disputes Chamber to conduct an investigation and transfer it to the Inspection Service, together with the complaint and the inventory of the documents. 9. On March 31, 2021, B ISNODE B ELGIUM will be acquired by [the parent company Z1] 3 and the former directors will be replaced by new directors, including [...] who also sits as chairwoman on the board of directors of [the parent company Z1]. 10. The investigation by the Inspection Service will be completed on May 20, 2021, and the report will be is added to the file and the file is transferred by the Inspector General to the Chairman of the Disputes Chamber (Article 91, § 1 and § 2 WOG). The report contains findings regarding the subject of the complaint and decision that the defendant has committed violations of the following provisions of the GDPR: i. Articles 5.1.a) and 5.2, as well as Article 6.1 GDPR; ii. Articles 12.1 and 12.2, Article 15.1, Article 5.2, Article 24.1, and Article 25.1 GDPR; 3[Z1], established in […], registered on the National Trade and Companies Register (Registre national du commerce et des sociétés) of France with SIREN number […]. At the General Meeting of […] June 2023, the name of the company changed to “Z2”; the minutes of this General Meeting were recorded on […] November 2023 registered with the Commercial Court of Paris (see paragraphs 28 and 34 in this decision). 4B.S., April 21, 2021 – https://www.ejustice.just.fgov.be/[...]. 5See the French government website L'Annuaire des Entreprises: https://annuaire-entreprises.data.gouv.fr/[...]. Decision on the merits 07/2024 - 5/114 iii. article 12.1, article 13.1 and 13.2, article 14.1 and 14.2, article 5.2, article 24.1, and article 25.1 GDPR. The report also contains findings that go further than the subject of the complaint In particular, the Inspection Service determines that the defendant complies with the following provisions of the GDPR has violated: iv. Article 4.11), Article 5.1.a) and 5.2, Article 6.1.a), as well as Article 7.1 and 7.3 GDPR; v. Article 5, Article 24.1, as well as Articles 25.1 and 25.2 GDPR; vi. Articles 30.1, 30.2, and 30.3 GDPR; vii. Article 38.1 and Article 39.1 GDPR. Finally, the Inspection Service determines that the processing of personal data leads to the core activities of the defendant, and that these are systematic and on a large scale processes personal data for, among other things, direct marketing purposes. 11. On June 15, 2021, the name of B ISNODE BELGIUM will be changed to B LACK T IGERB ELGIUM6. However, the company number […] remains unchanged. 12. On September 30, 2021, the Disputes Chamber will decide on the basis of Article 95, § 1, 1° and Article 98 WOG states that the file is ready for substantive treatment. The involved Parties will be notified by registered mail of the provisions such as: mentioned in Article 95, § 2, as well as in Article 98WOG. They are also stated on the basis of Article 99 WOG of the deadlines for submitting their defenses. 13. On October 4, 2021 and October 8, 2021, the defendant respectively the complainant a copy of the file (Article 95, § 2, 3° WOG), which was sent to them on October 8, 2021. Both parties accept further exchanges of documents electronically. 14. On October 13, 2021, the defendant indicates that he wishes to make use of the opportunity to be heard, in accordance with Article 98 of the WOG, and he requests it to be able to express in French, both in the context of his conclusions and during the hearing before the Dispute Chamber, since the defendant has its seat in bilingual Brussels Capital area, is registered in French with the Crossroads Bank of Companies, has its articles of association in French, and is part of the French “B LACK 7 TIGER GROUP”. 15. On November 3, 2021, the parties will be informed of the suspension of the previous communicated conclusion periods, pending a decision by the Dispute chamber regarding the language of the procedure. The complainant will let us know on November 6, 2021 6B.S., June 30, 2021 – https://www.ejustice.just.fgov.be/[...]. 7See edge no. 36 in this decision. Decision on the merits 07/2024 - 6/114 that he opposes the change of the procedural language to French, as he insufficient command of French, nor the means to write French-language documents to have it translated. On November 13, 2021, the complainant reports that he is allowing […] represent. 16. On November 29, 2021, the Disputes Chamber decides not to respond to the request of the defendant to change the language of the proceedings to French, for the following reasons reasons: - The position of the defendant - The Dispute Chamber determines that the defendant should be classified as a large company, with more than 100 full-time employees employees in 2020. The Disputes Chamber also notes based on the documents of the file that the defendant is a Dutch-speaking as well as a French-speaking target audience. - The position of the complainant—The Dispute Chamber determines that the complainant is directly has an interest in a decision of the Disputes Chamber as the complaint relates has to exercise his rights in relation to him personal data collected and processed by the defendant. - Abuse of the option to object to complicate the procedure - In view of the bilingualism of the defendant, as evidenced, among other things, by the answers given by the complainant received in Dutch as well as the bilingual website of the defendant, also located in the bilingual area of Brussels-Capital, judges the Disputes Chamber that the defendant's request to change the procedural language change, unnecessarily complicates the procedure before the Disputes Chamber. - Other specific circumstances in the case - The Disputes Chamber takes note of the fact that the defendant during the investigation by the Inspection Service has always expressed in French; the Disputes Chamber considers this argument, however, is insufficient to justify a change in the procedural language justified, taking into account the previous elements. Finally wishes the Disputes Chamber to emphasize that it also does not understand to what extent the takeover of B ISNODE BELGIUM by the French group B LACK TIGER. A change is possible justifying the language in which the dispute settlement procedure will be conducted become. Consequently, both parties must submit their defenses in Dutch. It However, the parties are free to provide any supporting documents in their original language without the GBA being responsible for its translation. Decision on the merits 07/2024 - 7/114 The parties involved will also be notified by registered mail new deadlines for submitting their defenses, in accordance with Articles 98 and 99 WOG. With regard to the findings regarding the subject of the complaint, the deadline for receipt of the defendant's response recorded on January 24, 2022, this for the conclusion of the complainant's reply on 14 February 2022 and finally this for the conclusion of the defendant's rejoinder on March 7 2022. With regard to findings that go beyond the subject of the complaint, the deadline for receipt of the defendant's response recorded on January 24, 2022. 17. On January 24, 2022, the Disputes Chamber will receive the response conclusions from the defendant with regard to the findings regarding the subject of the complaint. The Disputes Chamber hereby establishes that the defendant has not objected further against the use of Dutch by the Disputes Chamber and its written statements has drawn up comments in Dutch. 18. On February 15, 2022, the Disputes Chamber will receive the complainant's response conclusions, with regard to the findings regarding the subject of the complaint. 19. On March 7, 2022, the Disputes Chamber will receive the conclusions of the defendant's rejoinder with regard to the findings regarding the subject of the complaint. 20. On August 3, 2022, the Disputes Chamber decides to issue an appeal pursuant to Article 56 GDPR to initiate a procedure to identify the lead supervisory authority as well as, where appropriate, other relevant supervisory authorities. The reason for this is the possible transfer of data processing responsibility in the context of the acquisition of B ISNODE BELGIUM by B LACK T IGER on March 31, 2021, as well as the statements by the defendant that his services were explained to the French supervisory authority (CNIL). There is also the possibility that those involved in other Member States are materially affected by the controversial processing of personal data by B ISNODEB ELGIUM, now LACK T IGERBELGIUM. 21. On October 6, 2022, the CNIL confirmed that it is investigating to what extent it is leading supervisory authority will act as a result of the takeover by B LACK TIGER. On 19 and October 27, 2022 the Polish and Italian supervisory authorities respectively inform the GBA that they wish to act as the relevant authority. 22. On November 15, 2022, the CNIL confirmed to the GBA that B LACK TIGER contacted the CNIL has included, but only with regard to the development of the “Data Quality” platform, which contains a specific module dedicated to GDPR compliance. Decision on the merits 07/2024 - 8/114 The CNIL, on the other hand, clarifies that it cannot yet confirm whether there will be any exchanges have taken place between its services and B LACK T IGER regarding the possible cross-border nature of B LACK TIGER's processing operations. What hair authority for the processing of the group B LACK T IGER, the CNIL confirms this it is trying to determine whether the group's headquarters has changed in the period after takeover of the Belgian company by the French company. The CNIL closes with the comment that it is awaiting additional information on this point. 23. On December 22, 2022, the CNIL will inform the GBA that, pursuant to the information provided by B LACKT IGER has led to the conclusion that B LACK TIGERB ELGIUM has retained its decision-making bodies following the acquisition of B ISNODE in March 2021 B ELGIUM by [Z1], the French parent company of the BLACK TIGER group. The CNIL states more specifically, that the executive body of B LACK TIGER B ELGIUM despite the acquisition remained responsible for the formal decision to terminate the Data Delivery to cease data broker activities. Therefore, the CNIL concludes, it is Belgian BLACK TIGERB ELGIUM branch is the main branch for the disputed processing and remains the authority of the GBA as lead supervisory authority unchanged. 24. On January 19, 2023, the parties will be notified that the hearing will take place on February 22, 2023. 25. On February 22, 2023, the parties will be heard by the Disputes Chamber. 26. The minutes of the hearing will be submitted to the parties on March 2, 2023. 27. On March 10, 2023, the Disputes Chamber will receive some information from the defendant comments regarding the official report, which it decides to include her deliberation. 28. On […] June 2023, the General Meeting of [the parent company Z1] will approve unanimously the tenth decision is good, changing the name of the company to “[de parent company Z2]”. 29. On August 7, 2023, the Disputes Chamber decides to reopen the debates regarding specific points related to the case at hand. 30. On August 8, 2023, the supervisory authorities concerned will be informed by means of a request for mutual assistance 8 formally informed of the withdrawal of the cooperation procedure in accordance with Article 60 GDPR, given the lack of 8Article 61.1 GDPR — “The supervisory authorities shall provide each other with relevant information and mutual assistance to implement and apply this Regulation in a consistent manner, and take measures to effectively working together. Mutual assistance mainly covers information requests and supervisory measures, such as requests for prior authorization and consultations, inspections and investigations.” Decision on the merits 07/2024 - 9/114 determination in the present case of cross-border data processing the meaning of Article 4.23) GDPR. 31. On 6 September 2023, the Disputes Chamber received the conclusion of the response due to complainant. 32. On September 11, 2023, the Disputes Chamber will receive the response statement defendant, which she decides to include in her deliberations. 33. On October 31, 2023, the Disputes Chamber informed the defendant of its intention to transfer to impose an administrative fine and its amount made known, in order to give the defendant the opportunity to defend himself, before the sanction is actually imposed. 34. On […] November 2023, the Registrar of the Commercial Court of Paris shall register under file number […] the deed of company containing the official report of the General Meeting held on […] June 2023 as well as the articles of association of [de parent company Z2], as updated following the decisions of the General Meeting. 35. On November 24, 2023, the Disputes Chamber will receive the defendant's response to the intention to impose corrective measures and an administrative one fine, as well as the amount thereof. The Disputes Chamber accepts this response consideration in the context of its deliberation. II. Justification II.1. Competence of the Belgian Data Protection Authority 36. Between 2007 and 2020, B ISNODE B ELGIUM was part of [the company Z3], hereinafter '[Z3]'), an international holding company consisting of entities mainly in North and East Europe. On October 8, 2020, the Swedish private equity firm [Z4], also announced majority shareholder (70%) of B ISNODE AB, the sale to [the company Z5] of all its shares in the holding company ISNODE AB, excluding the operational activities of B ISNODE BELGIUM . 37. The Disputes Chamber notes that B ISNODE BELGIUM was taken over on March 31, 2021 by the French company [Z1]—now [Z2]—, trading under the commercial name B LACK TIGER GROUP . As a result of the takeover, the name B ISNODE BELGIUM was changed to 15 June 2021 changed to BLACK T IGERBELGIUM. 9See edge nos. 28 and 34 in this decision. Decision on the merits 07/2024 - 10/114 38. The Disputes Chamber rules that this takeover of B ISNODE BELGIUM by the French group B LACK TIGER as well as the name change to BLACK TIGERB ELGIUM have no impact on the jurisdiction of the GBA with regard to alleged infringements of the GDPR, because the following reasons. 39. First of all, the Disputes Chamber points out that the original complaint was directed against B ISNODE BELGIUM NV, established in Belgium, as well as the website https://bisnodeandyou.be, currently no longer accessible, on March 31, 2021 still explicitly B ISNODE BELGIUM stated as controller for the processing of personal data. 10 40. Under Article 55 GDPR, each supervisory authority has the power to: territory of its Member State to perform the tasks and exercise the powers that have been assigned or granted to it in accordance with the GDPR. It follows that the Belgian data protection authority was competent at the time of the complaint of the processing activities carried out by ISNODE B ELGIUM. The fact thatISNODE BELGIUM 11 was still owned by the Swedish listed group [Z4] until March 31, 2021, can do not lead to a lack of jurisdiction under the GBA. The defendant's contention that B ISNODE BELGIUM only had “little room for maneuver to […] its own strategies and determine policy regarding personal data” 12 is also not convincing to the Disputes Chamber. After all, after the transfer of the parent company B ISNODE AB to [the Z5 company]. October 2020, B ISNODE B ELGIUM could no longer be considered bound by the former policy choices imposed by B ISNODE AB. 41. That the defendant was taken over by a French group at the time of the investigation, nor does it lead to the conclusion that the GBA is not competent for the processing of personal data until the aforementioned date of takeover. In this case, the Disputes Chamber established that the processing activities of the defendant, including the various websites managed by him are aimed at a Belgian target audience and 10 Item 12 (“Screenshots of the website https://bisnodeandyou.be/”) in the inventory, p. 4. 1In October 2020, [Z4], a Swedish listed group and majority shareholder (70%) of the BISNODE group ISNODE ASWEDEN), the sale of all its shares to [the company Z5], with the exception of operational activities in verISNODBELGIU. 12 Conclusion in the defendant's rejoinder dated March 7, 2022, p. 2. Decision on the merits 07/2024 - 11/114 relate to the person concerned and established in Belgium. The defendant's statement that “Bisnode Belgium [before and after the entry into force of the GDPR] ensured that [the company] had an appropriate internal organization to meet its requirements obligations towards the persons whose personal data it holds,” as well as that “the new buyer was in no way involved and[sic]in the course of these events [the alleged infringements]” also confirms the jurisdiction of the GBA. 42. Finally, and for the sake of completeness, the Disputes Chamber notes that the defendant in no way currently questions the authority of the GBA to deal with the complaint on the merits stated. On the contrary, both during and following the hearing of February 22 2023, the defendant disputed that there was a cross-border situation processing within the meaning of Article 4.23) GDPR, with the result that the application of According to the defendant, Article 60 GDPR is not relevant. The mere circumstance that the website of B LACK TIGER BELGIUM mentions a branch in Poland, according to the defendant is in no way sufficient as such to establish the existence of a cross-border to make processing plausible. In connection with the above, the GBA has circumstances, the cooperation procedure pursuant to Article 60 GDPR is terminated. 13 43. The Disputes Chamber will hereafter review the data processing activities carried out by the defendant, before summarizing each of the findings included in the report to assess the Inspection Service in the light of the relevant information provided by the parties resources supplied. II.2. Description of the disputed processing activities by the defendant 44. Based on the documents submitted, the Disputes Chamber understands that the defendant at the time of the complaints, it managed three different databases with personal data had: i. the consumer file Consu-Matrix (hereinafter, “CMX”), which contains personal data of consumers that the defendant contains from various external sources (“source partners”) has collected. These sources create their own customer databases disposal to B ISNODE B ELGIUM for commercialization with a view to direct marketing purposes. CMX is a B2C information database intended for 13 See edge no. 30 in this decision. 1 Document 1 (“DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso”) submitted to the Inspection Service, p.4; Piece 8 (“Bisnode Belgium GDPR Governance B2C de 2019”) submitted to the Inspection Service; Part 9 (Bisnode Belgium GDPR Governance B2B de 2019) submitted to the Inspection Service. Decision on the merits 07/2024 - 12/114 marketing, analysis, profiling, statistics, verification and audit purposes 15 (data quality), as well as for reference and “other” purposes. ii. the Spectron company file, which contains company and contact details of Belgian companies that the defendant acquired through public/government sources (Crossroads Bank for Enterprises, National Bank of Belgium) as well as via commercial data sources. Spectron is a B2B information database intended for marketing profiling, analysis, credit purposes, statistics, verification and control purposes 16 (data quality), as well as for reference and “other” purposes. iii. the Permesso direct marketing file, which contains personal data from “Permesso members” that the defendant has via an online marketing platform collected. Personal data included in Permesso is intended for: marketing and direct marketing purposes (marketing, analysis, profiling and statistics). 45. Unlike Permesso, which contains personal data collected directly from the data subjects have been collected for direct marketing purposes, based on consent of the data subjects (Article 6.1.a) GDPR), CMX and Spectron are exclusively supplemented with personal data collected indirectly, on the basis of legitimate interest of the defendant and its customers (Article 6.1.f) GDPR). II.2.1. Processing responsibility 46. A controller is defined as “a natural person or legal entity, a public authority, a service or another body that, alone or together with others, the purpose and means of processing personal data determines” (Article 4.7) GDPR). This is an autonomous concept, specific to the regulations on data protection, which should be assessed against the criteria that are established therein: the determination of the purposes of the data subject data processing and the means for that processing. 15Free translation of: “purposes of marketing, analysis, profiling, statistics, verification and control (Data Quality), directory (reference purposes) and other” in Document 1 (“DPIA Bisnode 23 mai 2018 - Consu -Spectron-Permesso”) submitted to the Inspection service. 16 Free translation of: “purposesofanalysis,creditpurposes,marketingprofiling,statistics,verificationandcontrol(DataQuality), directory (reference purposes) and other” in Section 1 (“DPIA Bisnode 23 mai 2018 - Consu -Spectron-Permesso”) to the Inspection Service. 17Free translation of: “marketing/direct marketing purposes (marketing, analysis, profiling and statistics)” in Section 1 (“DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso”) submitted to the Inspection Service. Decision on the merits 07/2024 - 13/114 47. The aforementioned databases were set up and managed by B ISNODE BELGIUM, such as irrefutably proven by the internal documentation submitted to the GBA during the research (own underlining and filtering): 48. In view of the information available, the Disputes Chamber considers this sufficient proven that the B ISNODE BELGIUM was the controller at the time of the complaints acted for the aforementioned processing activities. 49. Until March 2021, B ISNODE BELGIUM offered to its customers on the Belgian B2B market two separate activities: on the one hand, a “Data Quality” service, which consists of: improve the quality or relevance of customer data, and on the other hand, a “Data Delivery” service, which consists of providing data to customers who do not yet have them and which enable them to carry out direct marketing campaigns feed. Both Spectron and CMX were processed by the defendant for Data Quality 19 (DQ) and for Data Delivery (DD) purposes. In concrete terms, the data from CMX customers of the defendant for enrichment purposes or rented out for direct marketing purposes (mainly by post). The Spectron company base was also marketed to customers of the defendant, who could use the data from this file for his own, directly marketing purposes .21 18 Piece 1 ("DPIA Bisnode 23 mai 2018 - Consu -Spectron-Permesso") and Piece 30 ("Bisnode Belgium - Copy of Record of Processing”), transferred by the defendant to the Inspection Service in the context of the investigation. 19 Document 30 (“Bisnode Belgium – Copy of Record of Processing”) submitted to the Inspection Service. 20Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 3. 21Exhibit 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the defendant, p. 1: “Bisnode compiles data from different sources: […] (ii)via public sources such as, for example, the Crossroads Bankfor Enterprises. […]ThepurposeofsuchprocessingoperationforBisnodeisincreaseandincreaseitsproprietaryB2B databaseSpectron, in ordertodeliverbetterservices.Thoseservicesmayinclude […]deliveryofdatasetsfordirectmarketing purposes on the basis of specific criteria (segmentation) covering offline and digital channels, including social media”. Decision on the merits 07/2024 - 14/114 50. Following the takeover by B LACK T IGERG ROUP on March 31, 2021, the renewed new board of directors of B LACK TIGER BELGIUM on June 25, 2021 opted to to discontinue activities in connection with the Data Delivery services. Also became decided to destroy the CMX consumer file on July 30, 2021, as well as the Permesso direct marketing file . Until that date, the data was taken from CMX — including the personal data of the complainants — sold, rented or for sale made available to companies with a view to their direct use marketing purposes, and in particular for sending advertising messages as well for validation, identification and analysis purposes. All customers of the defendant additionally received a communication informing them that B LACK T IGER B ELGIUM intended to discontinue the “B2CDataDelivery” activity, although it already existed contracts with customers of these services were terminated, customers could from the defendant who had received data before or on July 30, 2021, in accordance with the contractual provisions and data already provided 24 use until October 30, 2021. 51. The Data Delivery service for the professional market (“B2B Data Delivery”), which related to the Spectron company file, was canceled with effect from 1 December 25 2021 transferred by B LACK TIGER BELGIUM to [the Z6 company]. Customers of the defendant who had received data up to November 30, 2021 contractual right to use this data for another three months, until the end of February 26 2022 . This decision also testifies to the responsibility of B LACK TIGER BELGIUM with regard to the transferred processing activities. II.2.2. Data processing 52. Article 4.2) of the GDPR defines a processing of personal data as “an operation or a set of operations relating to personal data or a set of personal data, whether or not carried out via automated processes, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consult, use, provide by transmission, dissemination or otherwise making available, aligning or combining, shielding, erasing or destroying facts ". 22Ibid. 23Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 3. 24Ibid. 25Ibid. 26 Ibid. Decision on the merits 07/2024 - 15/114 53. Based on this definition and based on the documentation provided in the framework of the investigation as well as the conclusion phase, the Disputes Chamber distinguishes four various processing activities carried out by the defendant, and in particular: A. The processing of consumer data in the CMX database in the context of “B2C Data Delivery” service, whereby the defendant pursuant to Article 6.1.f) GDPR collects and enriches personal data of consumers for the purpose of the commercial supply of data to its customers, who use it use personal data for direct marketing purposes, and in particular for sending advertising messages, as well as for validation, identification and analysis purposes; B. the processing of consumer data in the CMX database in the context of “B2C DataQuality” service, whereby the defendant is provided on the basis of Article 6.1.f)GDPR collects, enriches and consolidates personal data from consumers payment, to assign a reliability score to personal data of consumers already in possession of the customers of B LACK TIGERBELGIUM, so that these can improve the quality of their data by formatting it, too to standardize, correct and/or link internally (matching); C. the processing of company data in the Spectron database in the context of “B2B Data Delivery” services, where the defendant is provided pursuant to Article 6.1.f)GDPR personal data of natural persons associated with companies collects and enriches with a view to commercial delivery of the personal data to its customers, who provide this personal data use to send advertising messages 27 and for segmentation purposes (validation, identification and analysis of profiles); D. the processing of company data in the Spectron database in the context of “B2B Data Quality” services, which the defendant provides under Article 6.1.f)GDPR personal data of natural persons associated with collects, enriches and consolidates companies to, for a fee, create a to assign a reliability score to personal data already in our possession by customers of B LACK TIGER BELGIUM, so that they can guarantee the quality of their can improve data by formatting, standardizing,... correct and/or internally link (matching). 54. Since B ISNODEBELGIUM in the present case for each of these processing activities has determined both the means and the ends, B LACK T IGERB ELGIUM must be capacity as legal successor of BISNODE BELGIUM as 27Exhibit 12 (“Screenshots of the website https://bisnodeandyou.be/”) in the inventory, p. 38. Decision on the merits 07/2024 - 16/114 be considered a controller. In light of the foregoing elements, the Disputes Chamber will then accept the findings by the Inspection Service the investigation report as well as the documents provided by the parties and their assess defenses step by step. II.3. Lawfulness of the processing (Article 5.1.a) and 5.2, as well as Article 6.1 GDPR) II.3.1. Position of the Inspection Service 55. According to the Inspection Service, the defendant is wrongly appealing to his legitimate interests for the processing of the data of the complainants within the framework of his commercial activities, and he therefore infringes Article 6.1 GDPR. 56. The Inspection Service notes in particular that the defendant has collected various personal data (including general personal information, contact details, professional details and family data) that are partly obtained from the data subjects themselves and partly from other sources — so-called “partners” of the defendant — have been obtained, processed on a large scale. This According to the Inspection Service, this implies that those involved cannot reasonably do so expect their personal data to be collected without their consent, systematically and against payment by the defendant to its customers for marketing campaigns, or are processed in the context of the freedom to actions of the defendant. Consequently, the third cannot be satisfied condition of Article 6.1.f) GDPR, the so-called balancing test between the interests of the defendant, on the one hand, and the fundamental freedoms and fundamental rights of the 28 stakeholders, on the other hand. 57. Moreover, according to the Inspection Service, the defendant does not demonstrate that his interests by weighing on those of the data subjects, thereby also violating Articles 5.1.a) and 5.2 GDPR. II.3.2. Position of the parties II.3.2.1. Relying on a legitimate interest (6.1.f) GDPR) as the basis for the processing of personal data and weighing of interests by B LACKT IGER BELGIUM 58. The complainants essentially take the position that the processing of their personal data by the defendant for commercial purposes unlawfully manner, since the plaintiffs were not informed of this 28See Title II.3.3.3 below in this decision. Decision on the merits 07/2024 - 17/114 never gave their consent. In other words, the complainant posits that the defendant cannot rely on a legitimate interest in collecting as well as the subsequent commercialization of his personal data. 59. The defendant, on the other hand, states that he is permitted to do so on the basis of his legitimate interest, as well as that of its customers and partners, personal data to process complainants as well as other involved parties. According to the defendant, the Inspection service did not take into account all the elements that the defendant However, it had argued for its legitimate interests and the proportionality of the processing to demonstrate. The defendant would specifically have the Inspection Service during the investigation pointed out the relevant passages of the various LIA reports 29 that relate had on the identification of the data in question, but also on the legality, necessity and proportionality test. The Inspection Service's determination that the defendant did not take into account the three aforementioned cumulative conditions are therefore manifestly incorrect. 60. The defendant also complains that the Inspection Service made no attempt has taken to determine the precise factual circumstances of the case. 61. Legality test — First of all, the defendant argues that direct marketing as such constitutes a lawful purpose, as stated in recital 47 GDPR and reiterated 30 in the GBA recommendation 01/2020. The defendant also points out that his legitimate interest in the continuation of its services regarding big data expertise, which he has been offering to his customers for years, on the basis of his fundamental freedom to conduct a business as provided in Article II.3 of the Code of economic law and Article 16 of the EU Charter of Fundamental Rights. The 31 taking into account the freedom to conduct a business when assessing the balance of interests by the Disputes Chamber would therefore be indispensable. Therefore, the processing activities of the defendant in the context of his Data Delivery activity to the purpose or legality test. 62. In addition, the Data Quality services would serve the legitimate interests of customers of B LACK TIGER BELGIUM, in particular to be able to implement effective marketing campaigns and to maintain - as the GDPR requires - databases that contain only correct ones and contain current information, according to the defendant. Also the Data Quality services would therefore meet the legality test. 29Legitimate Interest Assessment Reports; see edge nos. 95 and 130 in this decision. 30 GBA — Recommendation No. 01/2020 of January 17, 2020 on the processing of personal data for direct marketing purposes, https://www.gegevensbeschermingsautoriteit.be/publications/aanadvies-nr.-01-2020.pdf. 31Article 16 Charter of Fundamental Rights of the European Union — “The freedom to conduct a business is recognised in accordance with Union law and national laws and practices.” Decision on the merits 07/2024 - 18/114 63. Necessity test — Secondly, the need to process data can be nor, according to the defendant, for the intended direct marketing activities cannot be disputed, since sending mail is not intrusive under any law is prohibited, and direct marketing by post is not subject to any specific regulation which requires the prior consent of the recipients (as opposed to direct marketing by email). Consequently, the defendant argues, the processing activities are satisfactory of BLACK TIGER BELGIUM in the context of its Data Delivery activity also to the necessity test. According to the defendant, the report of the Inspection Service does not, however, adequately explain why there would be a shortage proportionality, as the defendant's activity consists precisely of large-scale collect data of various kinds. On the contrary, it would be “completely normal and legitimate” are that the defendant “collects various data to protect the family or to characterize a person's socio-professional situation”, “since the defendant has been professionally active in the sector for many years”. The defendant emphasizes that the large-scale processing of personal data falls within his expertise in big data, and according to him, no argument could be derived from the fact that data from are collected from various sources, nor to the large scale of the processing BLACK TIGER BELGIUM in the abstract. 64. Balancing test — Third, the defendant maintains that, contrary to what the The Inspection Service claims to have weighed up interests properly and with the necessary accuracy has argued between his interests and the rights and freedoms of the data subjects, with taking into account the nature of the processing, its consequences for the data subjects, and the interests of the company. The defendant refers in particular to the documented considerations of interests 32 — which, according to the defendant, are only of apply to direct marketing campaigns by post — which were sent to the Inspection Service and taking into account: ▪ the economic interest of the defendant and its customers; ▪ the defendant's fundamental freedom to conduct a business; ▪ the negative and positive consequences of the processing, whereby it is done according to the defendant is not necessary to avoid any negative consequences for the data subject, but rather the intention is to have a disproportionate impact for this prevent those involved; ▪ the “rather innocent” nature of the data; 32Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from the defendant. Decision on the merits 07/2024 - 19/114 ▪ the reuse and further processing of publicly available personal data from, among others, the KBO and the NBB; ▪ “the data subject's right to object/opt-out”; and ▪ making transparent information public on, among other things, the website of the defendant and that of its data sources, as well as the mandatory indication of B ISNODEB ELGIUM in the advertising messages sent to them by customers goal audience. 65. The defendant states that he came to the conclusion taking these interests into account that the negative consequences for those involved do not outweigh the positive consequences for the defendant and his customers, given the freedom of entrepreneurship, as well as the positive consequences for those involved themselves, which the processing of their personal data will no longer receive irrelevant advertising. 66. Accordingly, the legitimate interests invoked by the defendant according to the defendant, constitute an appropriate basis for the processing of personal data of data subjects, since the defendant takes a series of measures has taken to maintain the balance at all times in the context of the proportionality test guarantees between the relevant interests, as well as to be able to demonstrate this in accordance with the accountability obligation resting on the defendant. In that regard refers the defendant in particular to the following, which he has already implemented 33 measures: ▪ an extensive due diligence of the data sources in terms of data protection, including thorough analyzes of licenses of public sources regarding the reuse of public data; ▪ the obligation for data sources to inform data subjects about the transfer of their data to the defendant, so that the defendant or other companies can deliver personalized offers to those involved; ▪ the mandatory mention of “B ISNODE BELGIUM” in the advertising message and the right of review of the defendant regarding the advertising message, in combination with conducting campaigns through the media to increase the visibility of to raise the defendant with those involved; ▪ compliance with the principle of minimal data processing as well as the fact that “data enrichment is only applied to data that is already in our possession of Bisnode Belgium customers” ; 33Conclusion of response dated January 24, 2022 from the defendant, p. 7. 34Conclusion of response dated January 24, 2022 from the defendant, p. 7 in fine. Decision on the merits 07/2024 - 20/114 ▪ the effective possibility of data subjects to exercise their rights under the GDPR to practice; and ▪ taking appropriate technical and organizational measures. 67. Reasonable expectations of those involved — In the alternative, the defendant posits that the assessment of the legitimate interest of the controller necessary to take into account the reasonable expectations of the person involved. Thus, the Inspection Service's determination that those involved would not expect the data to be processed “without their consent” and “for payment”. be irrelevant, because the criterion of reasonable expectations stated in 35 according to the defendant, recital 47 of the GDPR would only relate to the hypothesis of further processing of personal data within the meaning of Article 6.4 36 GDPR . Due to the reasonable expectations of those involved at the time of collection systematically taking into account the lawfulness of the processing fully rely — according to the defendant — on the subjective position of the those involved at a certain point in time, which changes the other criteria for assessing the proportionality of the processing would be reduced to unnecessary considerations.Such reasoning would, moreover, “almost necessarily lead to the [lead] to the conclusion that LACK TIGER BELGIUM has no overriding legitimate interest, since the By definition, those involved cannot or only with difficulty expect their data to be available to them will be subject to technical processing such as that carried out by the defendant is being executed (and which is also part of his secret know-how)”, 37 so that in fact any activity of DataDelivery in a broad sense becomes impossible. Thedefendant argues that the criterion of reasonable expectations is therefore not the only criterion can be used to assess proportionality. In addition, the degree of transparency must also be taken into account the data processing; (ii) the defendant's efforts to contact those involved informing; and (iii) encouraging the data sources and customers of the defendant to “make an active contribution to those involved” . The defendant further states that the choice of a legitimate interest as a basis for the processing personal data “by definition” a certain infringement of fundamental rights and fundamental freedoms of those involved, but does not lead to a restriction of the obligations of a controller due to the GDPR. Those involved 35Recital 47 GDPR — “[…] In any case, a careful assessment is required to determine whether there is a legitimate interest, as well as to determine whether a data subject is at the time and in the context of the collection of the personal data can reasonably expect that processing can take place for that purpose […]”. 36Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 15. 37Conclusion in rejoinder dated March 7, 2022 of the defendant, p. 16. 38Conclusion of response dated January 24, 2022 from the defendant, p. 8. 39 Conclusion of the defendant's response dated January 24, 2022, p. 9. Decision on the merits 07/2024 - 21/114 can always exercise their right to object, thanks to the transparency information on the defendant's website as well as the mandatory mention of B ISNODE B ELGIUM in the advertising messages that its customers send to data subjects. 68. However, if the Dispute Chamber were to accept the arguments put forward by the defendant rejected, the defendant requests that the handling of the case be suspended and a to submit a preliminary question to the Court of Justice of the European Union, regarding the interpretation of Article 6 GDPR and of the freedom to conduct a business under it Charter of Fundamental Rights of the European Union. According to the defendant, the Dispute Chamber namely: “a 'court or tribunal of a Member State' […] within the meaning of Article 267 of the Treaty on the functioning of the European Union, in the sense given by the Court of Justice autonomous understanding of Union law. It was established by the law of 3 December 2017, has a permanent character, is certainly independent or at least should be according to both EU law and Belgian law, and it issues binding legal orders decisions at the end of an adversarial procedure that complies with legal rules that are laid down in particular in a clear separation between the research function on the one hand, and the judgment function on the other. As such, she has the right to request the Court of Justice of the European Union for a preliminary ruling on the interpretation and validity of the treaties and acts of the institutions, organs and agencies of the U.e 69. Finally, in his conclusions in response, the defendant emphasizes that the following elements are indispensable to properly assess the role of the defendant: i. B LACK TIGER BELGIUM is a big data specialist, i.e. a technical expert in the processing enormous amounts of data. ii. The now discontinued Data Delivery activities include: i. purchasing data from different sources; ii. processing this data to generate suitable datasets; and iii. delivering these data sets to professional customers who require them use it to enrich their own data or to try to create new ones reach customers, at their own expense, directly carry out marketing campaigns. iii. Since the personal data provided by the partner sources of B LACK TIGERB ELGIUM be collected, either directly from the data subjects or from third parties, it is included in the first instance to these sources to verify the legality of the initial to guarantee processing and to provide data subjects with information about the processing, purposes, etc. Decision on the merits 07/2024 - 22/114 iv. Since B LACK TIGER BELGIUM mainly carried out technical processing in order to compile datasets that meet the needs of his professional customers complied, the defendant maintains that in this context he acted as processor and its customers as controllers. Therefore, the role of the defendant as controller strictly limited to the aggregation of data, being the technical processing within the context of its know-how which became available in its CMX database for direct marketing purposes kept for the benefit of its customers. v. It is then the defendant's professional clients who, after they receive the had received datasets that exactly matched their requests, personally sent direct marketing communications to those involved. Since the defendant has never conducted a canvassing campaign by post for its own needs towards consumers, the customers of the defendant, the only ones responsible with regard to the processing of personal data in the context of the sent directly marketing communications, now that they are the initiators of this, for their own needs. vi. The activities in the field of Data Delivery were almost exclusively related on the channel post, as opposed to emails, cell phone numbers, or other digital channels. These activities, described in detail in the response letter to the Inspection Service dated April 27, 2021 governed by clear contractual agreements with both the sources and the professional clients of the defendant. II.3.2.2. Continuation of the Data Delivery service after the acquisition of B ISNODE B ELGIUM by BLACK TIGER 70. In his conclusions, the complainant refers to the defendant's web page40 on which dated 14 February 2022, the purposes for processing were still reported personal data, in particular: (a) Data Delivery, (b) Data Quality and (c) Internal use. 40https://avg.blacktigerbelgium.tech/uw-professionele-gegevens/waarom-professioneel/. 41The Disputes Chamber emphasizes that the complaints do not relate to internal use and that there are no investigation was conducted into internal use, with the result that the Disputes Chamber will limit its assessment to the first two processing operations. Decision on the merits 07/2024 - 23/114 71. In particular, the complainant believes that the defendant provided the following explanation in February 2022 argues with regard to its Data Delivery services: In the context of our Data Delivery activities, we commercialize your data for prospecting and direct marketing purposes, to make available to our customers to enrich established databases, to draw up marketing profiles and/or to to conduct market research”.2 In other words, the complainant posits that the defendant is contradicting himself conclusions, in 2022 was still engaged in direct marketing activities in the context of its Data Delivery activities — including creating profiles of those involved — based on data from public sources such as the Crossroads Bank of Companies, while such data is in principle solely intended to assist third parties possibility to check company data. Also with regard to processing of consumers' data, the defendant would have indicated that this processed by him, and in a number of cases also sent to his customers provided. 72. In his summary conclusion, the defendant clarifies that the disputed communication on the website is purely the result of the transition periods specified in the agreements with customers of the B2B Data Delivery service, which delivers data until November 30, 2021 Spectron had received. Notwithstanding the transfer of the services to [the company Z6] on December 1, 2021, these customers had the right to the provided data can be used for another three months, until the end of February 2022 The defendant has therefore kept information about the categories on its website of collected data, the purposes of the processing and the rights of the those involved. The defendant states that this is expressly stated on the web page https://avg.blacktigerbelgium.tech/uw-professionele-gegevens/, which precedes to the web page containing the description of the complaint cited by the complainant 42 Conclusions of the complainant's reply dated February 15, 2022, p. 2. 43See edge no. 51 in this decision. Decision on the merits 07/2024 - 24/114 processing purposes. In short, according to the defendant, the complainant is wrong positing that B LACK TIGER BELGIUM would still resell personal data in 2022 to its customers. II.3.2.3. Processing government data from the KBO for direct marketing purposes, by B LACK TIGER BELGIUM 73. The complainant states that the contact details of the entities registered with the Crossroads Bank for Enterprises both via the “public search” web page and via so-called “KBO Web Services” or reuse files are made available. Although it is legally possible to purchase a data license from the KBO for reuse of company data, according to the complainant it is unclear whether the defendant does has the necessary KBO annual subscription to be able to use this data. Regardless of this license for reuse, the complainant states that it is in accordance with Belgian law on KBO is nevertheless expressly prohibited from using KBO data for direct marketing, with the result that the use of KBO data for direct marketing purposes by B LACK TIGER BELGIUM constitutes at least a violation of the law. The complainant points out that making KBO data available via the "public search" functionality is in accordance with Article III.31 of the Economic Code 44 law and in accordance with Article 1 of the Royal Decree of March 28, 2014 implementation of Article III.31 of the Code of Economic Law, in particular the 44 Code of Economic Law, B.S., March 29, 2013, article III.31 — “All natural persons, legal persons or entities have access, via the internet, to data referred to in Article III.29, § 1, registered in the Crossroads Bank of Enterprises. At least a freely accessible website is provided on which this data is available in a readable format can be found […]”. 45Royal Decree implementing Article III.31 of the Code of Economic Law, in particular the provision of data from the Crossroads Bank for Enterprises that are accessible via the internet, as well as the conditions for it consult it, B.S., April 28, 2014, article 1 - “§ 1. The following information from the Crossroads Bank for Enterprises is available via the Internet accessible: 1° the company number and the establishment unit number(s); 2° the names of the registered entity and/or its business units; 3° the addresses of the registered entity and/or its business units; 4° the legal form; 5° the legal situation; 6° the economic activities of the registered entity and its business units; 7° the qualities according to which the registered entity is registered in the Crossroads Bank for Enterprises; 8° […]; 9° the surname and first name of the founders and of the persons who exercise a function in the registered entity which is subject to disclosure; 10°the reference to the website of the registered entity, its telephone and fax numbers as well as its e-mail address;[…] §2.The name and address of the natural person's place of residence are not shown when accessing the paragraph 1 stated data, unless: (a) either this name corresponds to the name of the registered entity or its establishment unit; b) or the address of the place of residence corresponds to the address of its business unit. § 3. Only the active data referred to in paragraph 1 are stated. § 4. Data that has a starting date in the future or that has been discontinued is not listed. Decision on the merits 07/2024 - 25/114 determination of the KBO data that are accessible via the internet as well as the conditions for consulting it. With regard to the provision of contact details in the context of web services or reuse files, the complainant believes that the KBO has a number of data available allows data reuse via the entire file. Included in this data including information regarding the entity and natural person as well as the names and first names of the persons who, within legal entities, perform functions or prove entrepreneurial skills. 74. The complainant adds that as a person responsible for a company, he also has so-called can provide “declarative” additional contact details. Providing such contact details in the context of the web services or reuse files of the In principle, CBO must be carried out in accordance with Article III.33 of the Code of 46 Economic law and the Royal Decree on the reuse of public data 47 of the Crossroads Bank for Enterprises, which expressly prohibits public to use and/or share data from the KBO for direct marketing purposes redistribute: Article 2 — § 1. The public data of the Crossroads Bank for Enterprises can in accordance with the further rules and conditions of this decision, by the management service be passed on to third parties for the purpose of reuse. However, third parties may not use and/or redistribute personal data for direct marketing purposes. § 2. The management service may neither use the identification number in the National Register nor the pass on your identification number in the Crossroads Bank for Social Security to third parties. § 3. The special conditions for reuse are laid down in a license agreement between the licensee and the Belgian State” According to the complainant, this prohibition is also included in the privacy statements as well as the license agreements from the Crossroads Bank for Enterprises: 2.2 The licensee may not use the personal data for direct marketing purposes, in accordance with Article 2 of the Royal Decree of 18 July 2008 Notwithstanding the first paragraph, given that it concerns a discontinued registered entity, the data intended in paragraph 1, which were active at the time of the cessation of the registered entity”. 46 Code of Economic Law, B.S., March 29, 2013, article III.33 — “Without prejudice to the provisions of the Articles III.29 and III.30, the King, after advice from the Supervisory Committee, sets the data of the Crossroads Ban of Companies that may be the subject of commercial or non-commercial reuse as well as the modalities regarding their provision. Only the management department is allowed to provide these basic data to companies provide”. 47Royal Decree of 18 July 2008 regarding the commercial reuse of public data from the Crossroads Bank van Ondernemingen, B.S., October 29, 2008. Decision on the merits 07/2024 - 26/114 regarding the reuse of public data from the Crossroads Bank Enterprises.” 75. In his rejoinder, the defendant states that he has a data license concluded with the KBO and also adheres to the terms of use of this license. According to the defendant, it is therefore established that he does not use KBO data directly marketing purposes, but processed exclusively for Data Quality purposes. The The defendant also emphasizes that “direct marketing” is not intended anywhere commercial purpose is stated in the license agreement concluded between B LACK T IGERBELGIUM and the FPS Economy. 76. Although he expressly stated in his first defense that the company and contact details of Belgian companies in the reference file “Spectron” — which have been obtained indirectly via both public/government sources (KBO, NBB) and via commercial data sources — also used for direct marketing purposes were made, the defendant stated during the hearing on February 22, 2023 that “it Nevertheless, it is clear that LACK TIGERB ELGIUM does not contain any data from the KBO direct marketing purposes”. 77. In his written comments regarding the report of the hearing dated 22 February 2023, the defendant further emphasizes that B LACKT IGERBELGIUM itself never did the was the sender of promotional messages, nor the designer of the content of such messages. It is always the defendant's customers who are responsible for selecting addresses and sending advertising messages to these addresses. In any case, according to the defendant, this does not prevent his customers from doing the same may process data ourselves for direct marketing purposes, with the understanding that they then carry out processing using data already in their possession, and were therefore in no way supplied by B LACK TIGERB ELGIUM. Finally, the defendant argues that the only processing operations at issue are: promotional campaigns by post, excluding all digital or other means of communication. II.3.2.4. Mass processing of personal data of minors without permission 78. Based on the answers to the requests for access, the complainant determines that the defendant processes personal data of minors, in this case the minor children of the complainants. This data is said to have been obtained via [the Z7 company], as well as other commercial companies such as [the company Z8] and [the company Z9]. Decision on the merits 07/2024 - 27/114 In this regard, the complainant refers to the alleged 21.10% share of the Belgian population of which [the company Z6] processes personal data, in order to conclude that the defendant processes an even larger volume of data, partly thanks to the data that the defendant purchases from additional suppliers. 79. In his rejoinder, on the other hand, the defendant points out that he only limited data (date of birth and gender of the child, in relation to the information provided in the source file identified parent) of minors. This data will be used solely for segmentation purposes. In no event has the defendant data of minors is provided to its customers, with which they are directly contacted minors could send advertising. II.3.2.5. Retention periods apply to the collected personal data 80. During the hearing on February 22, 2023, the complainant regrets the exceptionally long retention periods of 15 years after the last registration in the defendant's databases. The complainant states that if data is re-registered in any way databases of the defendant, a new term of 15 years begins. This would, by the way evident from the information that the complainants received in the response from the defendant, in which data that is more than 15 years old is included, including data from them children and a number of “outdated email addresses dating back to the mid-1990s”. 81. To the question of the Disputes Chamber during the hearing of February 22, 2023, regarding what measures have been taken to assess and guarantee the quality of personal data that is 15 years old, the defendant merely replies confirming that the personal data will in principle be retained for a period of 15 years. When the The complainant then points out that the current privacy statement has a retention period of 3 or 10 years, depending on the category of the person involved, the defendant answers that the current privacy statement is not relevant since the complaint as well as the investigation report, both of which are the subject of the present proceedings for the Disputes Chamber, relate to the period before June 2021. 48 82. In addition, the defendant emphasizes this in the context of the reopening of the debates the old privacy statement has now been “completely annulled and replaced”. defendant that the privacy statement on the website is intended for the general public in contrast to the privacy statement that applies to data subjects who directly have received marketing communications, which mention the defendant by name 48 Conclusions of the defendant (“Additional Conclusion Black Tiger (1002387.1)”) submitted to the Disputes Chamber on September 11, 2023. 49https://www.blacktigerbelqium.tech/privacy-policv. Decision on the merits 07/2024 - 28/114 50 is becoming . This distinction, which according to the defendant, does not relate to the nature of the personal data, is expressly emphasized on the first page of the modified general privacy statement — which would nevertheless be insufficient for the present case, according to the defendant. II.3.2.6. Enriching personal data with personal impact 83. The complainant posits that the defendant enriches personal profiles on the basis of statistical data from the National Institute for Statistics, as well as that the the consequences of this enrichment are significant and immediately tangible for those involved. The complainer refers specifically to a specific company that has the creditworthiness of would determine its customers based on profile data as well as data provided by the defendant. The defendant's response to the requests for access would also reveal: it appears that the profiles of the complainants are classified as “Social class: elite class”. be .1 84. In his rejoinder, the defendant disputes this claim of the complainant, which does not is supported by the documents in the file. 85. During the hearing before the Disputes Chamber on February 22, 2023, the defendant asked the extent to which his Data Quality services are provided - whereby the customers of the defendant share their own customer files with the defendant for quality control, i.e. to check whether the personal data is sufficient are worthy of trust — also entails (a form of) data enrichment. The defendant answers that when receiving customer data about a specific data subject, he only will check whether more relevant data is now known about the same data subject — at As an example, an email address that came into use more recently — before a to assign a score with regard to the data supplied and to communicate this score to the client. According to the defendant, no new personal data will be collected transferred to customers in the context of the Data Quality services. II.3.3. Judgment of the Disputes Chamber 86. Prior to its substantive assessment of the lawfulness of the processing of the complainant's personal data by the defendant, the Disputes Chamber wishes to emphasize that, contrary to what the defendant stated in his response dated 24 50 Available on the website https://avg.blacktigerbelgium.tech. 51Part 2 (“Response to the request for access of November 13, 2020 from Bisnode Belgium”), p. 3 and Piece 3 (“Response to the request for access dated December 23, 2020 from Bisnode Belgium”), p. 2, as submitted to the Disputes Chamber in in the context of the response's conclusions. Decision on the merits 07/2024 - 29/114 52 November 2023 on the sanction form, by no means “an incomprehensible confusion”. create “between the activities of Data Delivery and Data Quality”. Also disputes the Disputes Chamber the defendant's statement that there was no adversarial debate opened regarding the Data Quality services. Neither means convincing, for the reasons below. First, the complainants' grievances relate to the processing of their data personal data by the defendant, without the complainants expressly agreeing distinguish between the different services offered by the defendant. This is also logical; Data subjects cannot be expected to disclose commercial information names that a controller gives to the processing activities that he carries out, must expressly mention them in their complaint to the GBA. While also that the defendant did not provide any information in his answers to both requests for access makes a distinction depending on the service for which the personal data of the complainant respectively the complainant were processed. Specific to the complainant is the distinction defendant, on the other hand, between the consumer base, on the one hand, and the company base, on the other. Secondly, the investigation report explicitly refers to the answer dated April 21, 2021 from the Data Protection Officer (hereinafter, DPO) of the defendant to the questions from the Inspection Service, in which no distinction is made either created between the Data Quality and Data Delivery services. That answer shows very clear that the defendant considers both services jointly as “commercial activities” describes: “14.As indicated in the letters in response to the complainants' requests for redress access, Bisnode Belgium has processed their data in the context of its commercial activities based on Article 6 1 f) va” (free translation) . Thirdly, during the hearing on February 22, 2023, questions were asked to the defendant that were expressly related to the Data Quality services. The However, the defendant never objected to the statement during the hearing of these questions, which he, by the way, answered. The defendant was also free to mention the alleged “confusion” in his response to the report of the hearing to raise and dispute between both services, which again he does not have done. Finally, the defendant can hardly deny that he is already in his first defenses dated January 24, 2022 ex officio explained both services 52Response from the defendant to the sanction form dated October 31, 2023, p. 2, point (i), and p. 3 ,point (iii). 53“14. Comme indiqué dans les lettres en réponse aux demandes de droit d'accès des plaignants, Bisnode Belgium a traité they do not use the framework for their commercial activities on the basis of the article 6 1 f) of the RGPD”. Decision on the merits 07/2024 - 30/114 and has hereby referred to the documented considerations of interests for the different databases, in which no essential distinction is made depending on the Data Quality or Data Delivery services. It stands with others states that the defendant acted both during the investigation and in the context of the written debates before the Disputes Chamber with regard to the Data Quality as well as the Data Delivery services, which is sufficiently demonstrated by the documents submitted in the context of the statements of defense. 87. According to Article 5.1.a) GDPR, personal data must be in a manner with regard to the data subjects are processed in a lawful, fair and transparent manner. Furthermore Article 6.1 GDPR stipulates that the processing of personal data is only lawful if and insofar as it is based on a valid legal basis. The Finally, the controller must be able to demonstrate that the processing is lawful, in view of the accountability obligation pursuant to Article 5.2 in conjunction with Article 24.1 AVG rests on him. 88. Based on the documents provided, the Disputes Chamber determines that the defendant Article 6.1.f) GDPR (legitimate interest) is relied on for the collection and processing of personal data in CMX and Spectron, while the consent of data subjects such as processing basis applies to data processing in the context of Permesso. However, in the context of the present case, the Disputes Chamber understands that the 56 personal data of the complainants were not processed in Permesso. Therefore, the Disputes Chamber limits its assessment in this regard to data processing operations that: relate to the CMX and Spectron databases. 89. The defendant confirms in his conclusions that he is relying on Article 6.1.f) GDPR for the collection of personal data of data subjects from public and private sources, as well as for the inclusion and enrichment of the same personal data in different ones internal databases, before commercializing these personal data to its customers in the context of both Data Delivery and Data Quality services, for direct marketing purposes . This is further supported by the defendant's answers to both complainants, in response to their requests for access: 54 Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from the defendant. 55See marginal nos. 64 et seq. in this decision. 56 Document 2 (“Response to the request for access of November 13, 2020 from Bisnode Belgium”), as submitted to the Disputes Chamber in the context of the response. 57 Conclusions of the defendant's reply dated 24 January 2022, p. 11; Conclusions of the defendant's rejoinder dated 7 March 2022, p. 21 58 Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from the defendant. Decision on the merits 07/2024 - 31/114 “Your data is processed by us on the basis of the following legal basis, in particular: pursuit of our legitimate interest (art. 6.1.f of the General Regulation Data protection) in the context of our commercial activities. ”59 “We process as described in the Privacy Policy, available at www.bisnodeenu.be your personal data in accordance with the GDPR. This data processing is on the one hand, necessary to promote the legitimate interest of Bisnode Belgium, on the other hand, to promote the legitimate interests of others. (Article 6.1.f GDPR).”60 90. Since it is therefore established that the defendant has personal data of the complainants processed exclusively on the basis of Article 6.1.f) GDPR, the Disputes Chamber will not bow down about the processing of personal data by the defendant on the basis of the consent of those involved. 61 91. In accordance with Article 6.1.f) GDPR and the case law of the Court of Justice of the European Union (hereinafter “CJEU”) in its judgment “Rīgas” , serves three cumulative conditions must be met for a controller to be legally valid rely on this legality ground, namely: “[…] first of all, the promotion of a legitimate interest of the controller or of the third party(ies) to whom the data is provided secondly, the necessity of processing the personal data for the pursuit of the legitimate interest, and, thirdly, the condition that the fundamental rights and freedoms of the data subject do not prevail” 92. In order to be able to rely on legitimate interests in accordance with Article 6.1.f) GDPR, a controller must therefore demonstrate that: i. the interests it pursues with the processing can be justified are recognized (the “target test”); ii. the intended processing is necessary for the realization of these interests (the “necessity test”); and iii. the weighing of these interests against the interests, fundamental freedoms and fundamental rights of those involved weighs in favor of the controller (the “balancing test”). 59 Answer from the defendant to the complainant, dated November 13, 2020. 60Reply from the defendant to the complainant, dated December 23, 2020. 61 I.e., in the context of the website www.permesso.be and in the Permesso database. 62CJEU, May 4, 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA 'Rīgas satiksme' (ECLI:EU:C:2017:336), edge no. 28. See also CJEU, 11 December 2019, C-708/18, TK v/ Asociaţia de Proprietari block M5A-ScaraA (ECLI:EU:C:2019:1064), edge no. 40. 63 See also Decision on the merits 71/2020 of October 30, 2020, edge nos. 68-73 (available on the GBA website). Decision on the merits 07/2024 - 32/114 The Disputes Chamber will address the controversial data processing operations 64 in the following sections test the three aforementioned conditions. II.3.3.1. Target test 93. The Disputes Chamber reminds that the weighing of interests does not play a role if interest of the controller is unjustified, since the first threshold for the use of Article 6.1.f) GDPR in such circumstances is not 65 reaches . The interest pursued by a controller or third party must be distinguished from the objectives achieved through a 66 certain processing is pursued. In the context of data protection it is After all, “purpose” is the specific reason why the data is processed: the purpose or intention of the data processing. The “interest”, on the other hand, is one broader concept and considers the value to the controller or the benefit that the controller, or society, may have in the processing. 67 94. Since it does not behoove her to judge in the abstract the practice of data trading nor about the broader so-called data brokerage or data intermediaries industry, the Disputes Chamber will give its judgment in the present case in concrete terms, on on the basis of the various documents that the parties received both during the investigation and in have handed over the framework of the defenses, including a detailed analysis is evident from the various points of interest related to the activities defendant as data broker. 95. As regards the first condition for invoking Article 6.1.f) GDPR, the defendant in the legitimate interest laid down 68 assessment, hereinafter 'LIA') that the processing activities associated with CMX resp. Spectron 69 pursues the following goals: “[…] improving and expanding its own consumer database Consu-Matrix [resp. B2B database Spectron], to provide better services. These services can consist of (i) data analysis, (ii) enrichment, validation or other "Data Quality" services that aim to improve the quality of Bisnode customers' data, and 64See edge no. 52 in this decision. 65 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 30. 66Ibidem, p. 29. 67Ibidem, p. 29: "For example, a company may have an interest in the health and safety of its employees nuclear power plant. In connection with this, the company may have as its purpose the implementation of specific access control procedures that justify the processing of certain specified personal data to ensure the to help ensure the health and safety of workers.” 68 Document 2, as submitted by the defendant to the Inspection Service in the context of the investigation; Piece 5, like transferred to the Disputes Chamber in the context of the conclusions in response. 69Document 3, as submitted by the defendant to the Inspection Service in the context of the investigation; Piece 6, like transferred to the Disputes Chamber in the context of the conclusions in response. Decision on the merits 07/2024 - 33/114 (iii) provision of data sets for direct marketing purposes on a specific basis 70 criteria (segmentation) that assess offline and digital channels, including social media. 96. In particular, the defendant would process personal data included in the CMX database as well as the Spectron database, so the following specific ones 71 pursue objectives: i. the commercialization and optimization of B LACK T IGER's activities BELGIUM as data broker; ii. improving the quality of data in customer databases in particular by validating, correcting and supplementing this data on the basis of the personal data that B LACK TIGER BELGIUM already has; iii. the grouping of personal data that a company has about a specific person possess; and iv. the analysis of data and the preparation of market segmentation profiles to to infer preferences of data subjects, so that (i) client companies provide them with suitable ones can offer products/services that correspond to their professional and personal situation and with the products/services they already own, and (ii) social networks or other media the advertisements on web pages client companies can adapt to the interests of those involved shown. The Disputes Chamber notes, partly in view of the wording used by the defendant, that the objectives pursued are for both Data Delivery and Data Quality services apply, regardless of whether the processed personal data is in the CMX database (B2C) or in the Spectron database (B2B). 97. The “legitimate” nature of a pursued interest can generally be assumed to the extent that the three following conditions are met: i. The interest pursued must first be legitimate, or in other words acceptable under EU law or the law of a Member State. So it applies as 70Original text: “[…] to enhance and increase its proprietary consumer database Consu-Matrix [/ B2B database Spectron], in order to deliver better services. Those services may include (i) data analysis, (ii) enrichment, validation or other "DataQuality" servicesaimedatiimproving thequalityofthedataheldbyBisnode'scustomers,and(iii)deliveryofdatasetsfor direct marketing purpose on the basis of specific criteria (segmentation) covering offline and digital channels, including social media". 71 Document 2, as submitted by the defendant to the Inspection Service in the context of the investigation; Piece 5, like transferred to the Disputes Chamber in the context of the conclusions in response (CMX); Document 3, as transferred by the defendant to the Inspection Service in the context of the investigation; Document 6, as submitted to the Disputes Chamber in in the context of the conclusions in response (Spectron). 72 The Disputes Chamber is aware that the question of whether each interest is a legitimate interest, provided that that interest is not is contrary to the law, and in particular the question whether this also applies to a purely commercial interest, is up to the Court of Justice submitted in case C-621/22, Royal Dutch Lawn Tennis Association. What is stated here represents the current state of affairs right again. Decision on the merits 07/2024 - 34/114 general rule that interests that are recognized by or can be traced back to a legislative measure or a legal principle, a legitimate interest forms. It goes without saying that the pursued interest must not be in conflict the law, including legal restrictions relating to the relevant personal data. ii. The pursued interest must also be sufficiently clear and precise way to be determined: the scope of the legitimate interest pursued must be clearly defined so that this interest can be properly addressed weighed against the interests or fundamental rights and freedoms of the those involved. iii. Finally, the legitimate interest must be existing and effective at the time of the data processing (and therefore not fictitious or purely hypothetical). 98. In the present case, the Disputes Chamber is of the opinion that the B2C Data Delivery respectively the B2C Data Quality services, namely: i. the interest for the defendant to enrich and improve its databases commercialize in the context of his freedom of enterprise; and ii. the interest of the defendant's customers to have the most current obtain personal data in order to enrich their own databases or their 74 to confirm correctness in the light of the principle of correctness, with its purpose conducting effective direct marketing campaigns; are clearly established, demarcated, real and current, with the result that the desired interests are legitimate. 99. Regarding the specific complaints of the complainant that the defendant KBO data (in Spectron) would also use for direct marketing purposes, according to the Disputes Chamber however, it is established that the relevant refutations of the defendant 75 are not correspond to the documentation provided by him, nor to the screenshots from his website :6 73CJEU, 11 December 2019, C-708/18, TK t/ Asociaţia de Proprietari bloc M5A-ScaraA (ECLI:EU:C:2019:1064), edge no. 44. 74Pursuant to Recital 39 and Article 5.1.d) GDPR. 75 See edge numbers 75 to 77 in this decision. 76Exhibit 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the defendant; Item 12 (“Screenshots from the website https://bisnodeandyou.be/”) in the inventory. Decision on the merits 07/2024 - 35/114 100. The Disputes Chamber also notes that the conditions in Appendix 2 to the license agreement for the use of data from the KBO for commercial purposes 77 purposes, not only prohibiting your own use for direct marketing, but also the prohibit the redistribution of this data for direct marketing purposes: Preliminary decision — To the extent that the defendant in the context of its B2B Data Delivery services and B2B Data Quality services, so effective data from the KBO would process for direct marketing-related purposes, as otherwise described in 78 the weighing of interests for the Spectron database, the Disputes Chamber rules that B LACK 77 Document 19 ("KBO license agreement Bisnode (790517.1)") filed with the conclusions of the defendant's rejoinder, p.16. 78Exhibit 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the defendant, p. 1. Decision on the merits 07/2024 - 36/114 TIGER B ELGIUM cannot possibly rely on Article 6.1.f) GDPR for these processing operations since the legality condition has not been met. II.3.3.2. Necessity test 101. In addition to the existence of a legitimate interest, the controller must also demonstrate the necessity of the processing for that interest before an appeal can do in accordance with Article 6.1.f) GDPR. The Court of Justice has emphasized this that the condition regarding the necessity of the processing for the intended interest consistency with the principle of minimum data processing, as laid down in Article 5.1.c) GDPR, needs to be investigated. After all, the necessity requirement is important to guarantee that the data processing based on legitimate interest does not lead to an overly broad scope interpretation of the criterion on the need to process data. Personal data must therefore always be sufficient, relevant and limited to what is necessary for the representation of the interests for which they are processed. In concrete terms, the defendant must ensure that no less intrusive means are used terms of impact on the personal privacy of those involved are available 80 this is important to achieve, than to carry out the intended processing. This assessment must the principle of storage limitation under Article 5.1.e) must also be taken into account GDPR. 102. In order to be able to assess whether the processing passes the necessity test, eight the Disputes Chamber again finds it important to present the defenses submitted the documentation provided during the investigation and in the context of the conclusions to take into account. The defendant explains the necessity of the disputed case processing, by answering three questions in the context of the assessment of the 81 interests he has regarding CMX resp. Spectron presents as justified: i. Why is the processing activity important for the controller? ii. Why is the processing activity important for other parties to whom the data can be provided if necessary? iii. Can the objective be achieved in another way? 79CJEU, 11 December 2019, C-708/18, TK t/ Asociaţia de Proprietari bloc M5A-ScaraA (ECLI:EU:C:2019:1064), edge no. 48. 80 Data Protection Working Party Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 35. 81Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from the defendant. 82 (1) “Why is theprocessing activityimportant to theController?”; (2) “Why is the processing activity important to other parties the data may be disclosed to, if applicable?”; (3) “Is there another way of achieving the objective?”. Decision on the merits 07/2024 - 37/114 103. The Disputes Chamber first determines on the basis of the documentation provided that: there is no substantial difference between the assessment of the processing operations relate to personal data included in the CMX database (B2C) and the assessment of the processing of personal data included in the Spectron database (B2B). The following explanation therefore applies to both databases. 104. In answer to the first question, the defendant refers to the benefit that he himself derives from the processing of personal data, and in particular the necessity of the processing for the continuation of its economic activities. This position holds both for the Data Delivery and for the Data Quality services. 105. As regards the representation of the interests of third parties (second question), the defendant, on the other hand, does make a distinction based on the service provided. i. B2C/B2B Data Delivery services — The defendant points out the advantage for its customers to reach prospects, consumer or select entrepreneurial target groups via various channels (post, telephone, social media, ...) and thus increase their turnover. The processing would be with in other words, are necessary for the enrichment of the databases customers of B LACK TIGER BELGIUM with additional contact details of consumers and entrepreneurs, so that these customers can gain access to new ones communication channels could contact their own prospects and consumers for direct marketing purposes. In addition, the customers would of BLACK T IGERB ELGIUM based on the additional attributes of their own to better analyze and segment customer databases based on enriched profiling data, again for the purpose of sending direct marketing communications. ii. B2C/B2B Data Quality services — The processing of personal data included in the CMX file as well as the Spectron database to improve the quality of the databases of B LACKT IGERBELGIUM customers, resulting in duplicate entries at individual or household level in the databases of customers can be combined and returns due to incorrect consumer addresses can be avoided. 85 106. As to the third question, the defendant summarily posits that other methods of interests and would offer less security and would not contribute to it 83“The benefit of the processing for Bisnode Belgium is the continuation of its economic activities”. 84Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the defendant, p. 4; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the defendant, p. 4. 85“The benefit of the processing for the Bisnode clients is multiple: […] To improve the quality of their database: Avoid postal returns because of bad addresses […] Be able to group a same person/household that is several times in the database”. Decision on the merits 07/2024 - 38/114 to deepen the relationship between B LACK TIGER B ELGIUM customers and those involved. Accordingly, according to the defendant, there is no less intrusive but still effective measures to deepen existing customer relationships and generate more sales than direct marketing. This position also applies to both the DataDelivery services 86 and for the Data Quality services. Minimum data processing — 5.1.c) GDPR 107. To determine the necessity of these processing activities for the purposes pursued To be able to assess this, the Disputes Chamber also collects the processed personal data consideration. Relying on the screenshots of the privacy policy on the website, the joint data protection impact assessment (GEA) for the three databases, it register of processing activities as well as the response from the DPO of BISNODE B ELGIUM to the questions from the Inspection Service and the detailed answers provided by the complainants defendant - then still B ISNODE BELGIUM - received, the Disputes Chamber establishes 87that BLACK T IGERB ELGIUM processes the following categories of personal data databases: 88 i. Screenshots of the privacy policy dated March 31, 2021 (CMX, B2C) —Name, first name, gender, language, age (or date of birth or presumed age group), address, landline phone, mobile phone, email address, date of last contact made by the data source with the data subject, statistical data at the district or municipality level (average income in the district where people housing, percentage of owners/tenants, gardens, unemployment rate...), observation data (area of land, presence of solar panels…), derived data, marketing profiles. ii. Screenshots of the privacy policy dated March 31, 2021 89(Spectron, B2B) - Company details — Company name, company and VAT number, contact points, social security number, activity sector according to NACE, joint committee, size of the company, number of employees employed, date of establishment, details of and number of branches/branches/franchisees, web pages, financial information (including any solvency and bankruptcy). 86 Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the defendant, p. 5; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the defendant, p. 5. 87In accordance with a “careful finding of facts”, as emphasized by the Market Court in its interim judgment 2022/AR/292 of September 7, 2022, p 36 and 39. 88 Item 12 (Screenshots of the Bisnode Belgium website taken by the Inspection Service on March 31, 2021) in the inventory, p. 45-48. 89 Item 12 (Screenshots of Bisnode Belgium website taken by the Inspection Service on March 31, 2021) in the inventory, p. 31-33. Decision on the merits 07/2024 - 39/114 - Individual data — Surname, first name, gender, language, contact points professional and sometimes private address, professional fixed and/or mobile telephone number, professional email address, date of birth, position or title (incl. date of appointment), derived data, marketing profiles, date on which the information was communicated to B ISNODE B ELGIUM or on which changes have been made. iii. Joint GEB (CMX, B2C) 90 — Contact details, personal data about minors (over 16 years old), consumer interests, family typology, lifestyle data, identification data, personal characteristics. iv. Joint GEB (Spectron, B2B) 91 — Contact details, collection details, electronic identification data, financial data, identification data, memberships, other data, personal characteristics, professional training and training. 92 v. Register of processing activities (CMX, B2C) — Contact details, date of birth, age, socio-demographic and lifestyle data, 93 family typology, presence of children, neighborhood data. 94 vi. Register of processing activities (Spectron, B2B) — Contact details, company data (CBE number, number of employees, turnover, NACE, ...), financial 95 facts . vii. Letter to the GBA (CMX, B2C) 96 — General personal information (name, first name, gender, language and age or date of birth or presumed age), contact details (postal address, landline telephone number, mobile telephone number and e-mail) email address), typologies such as family (young couple, single with or without children), housing (single-family or multi-family home), statistical data neighborhood and/or municipality level (average income, percentage owners/tenants, percentage of gardens, unemployment rate, etc.), and general physical information at neighborhood level (average plot size or the presence of solar panels, etc.). 90Part 1 (“DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso”) submitted to the Inspection Service. 91 Ibid. 92Piece 30 (“Piece 30 - Bisnode Belgium - Copy of Record of Processing”) submitted to the Inspection Service. 93“Contact Data, Date of Birth, Age, Socio-demo and Lifestyle data, Family typology, Presence of children, Neighborhood data”. 94Part 30 (Bisnode Belgium - Copy of Record of Processing) transferred to the Inspection Service. 95“Contact Data, Firmographics (CBE number, number of employees, turnover, NACE, ...), Financial data”. 96 Appendix (“Réponse Inspection APD 27042021”) to Item 18 in the inventory. Decision on the merits 07/2024 - 40/114 viii. Letter to the GBA (Spectron, B2B) 97 — Surname, first name, gender, language, business address, business telephone number (landline and/or mobile), business email address, date of birth, position or title within the company, date of appointment or entry into force. 98 ix. Responses to the access requests — Surname, first name, address, gender, language, date of birth, email address, child (incl. date of birth and gender), family typology, statistical data at neighborhood level (urbanization, social class, percentage of higher education, percentage of unemployed, percentage of gardens, percentage of owners). 108. The personal data processed at the time of the complaints therefore included several categories, which the Disputes Chamber explains below per database: CMX (B2C) Spectron (B2B) Identification data Identification data Name, first name Name, first name Contact details Contact details Address, landline and/or mobile telephone number, e-Business address, business landline and/or mobile email address, telephone number, business email address Personal data about minors (> 16 years) Electronic identification data Date of birth and gender Not further defined Personal characteristics Personal characteristics Gender, language, age (or date of birth or Gender, language, date of birth, position or probable age group) title (incl. date of appointment) Consumer interests Financial specifications Not further defined Solvency, bankruptcy Lifestyle data Vocational education and training Not further defined Not further defined Family composition Collection data Family typology (single with or without Not further defined children, young couple, etc.), date of birth and gender of child(ren) Housing Memberships Single-family or multi-family home Not further defined Statistical data by district or Other data municipal level Not further defined Average income in the neighborhood, percentage owners/tenants, gardens, social class, percentage of higher education, unemployment rate Observation data (at neighborhood level) Derived data Average plot size, presence of Not further defined solar panels 97Appendix (“Réponse Inspection APD 27042021”) to Item 18 in the inventory. 98 Part 2 (“Response to the request for access of November 13, 2020 from Bisnode Belgium”) and Part 3 (“Response to the request for access dated 23 December 2020 from Bisnode Belgium") lodged with the conclusions of the response of the defendant. Decision on the merits 07/2024 - 41/114 Derived Data Marketing Profiles Not further defined Not further defined Marketing profiles Not further defined 99 109. Although the Disputes Chamber will return to this further in the present decision, The question still arises to what extent all these personal data are systematically equal are necessary for the promotion of the intended interests. In the context of the Data Delivery service 100, compliance with the correctness principle under recital 39 and article 5.1.d) GDPR namely by the defendant put forward as an interest in the processing. According to that principle, a controller - in this case the defendant or its customers — all necessary take measures to ensure that the personal data that is inaccurate, taking into account the purposes for which they are processed, deleted or rectified without delay In this regard, the Litigation Chamber is of the opinion that the principle of correctness 102 has a narrower application than the quality of the information 103, which in addition to the 104 accuracy and correctness also includes the completeness of the information. The In other words, the Disputes Chamber rules that compliance with the principle of correctness under no circumstances the unlimited collection of personal data, for the main purpose it would be possible to draw up a profile of the data subject that is as complete and accurate as possible justify 105. The necessity of the collection and enrichment of personal data included in the CMX and Spectron databases, for compliance with the correctness principle in the context of the Data Delivery services, has therefore not been demonstrated. 110. In a subordinate order, the Disputes Chamber notes that an “excessive” accuracy of the personal data — in light of the purposes pursued 99See edge nos. 150 et seq. under Title II.4 in this decision. 100Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the defendant, p. 2; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response vandedefendant, p.2: “[…]referenceismmadetothelegitimateinterestofBisnode'scustomers […]tocomplywiththeaccurate [sic] principle of the GDPR that sets forth that data controllers must make efforts to maintain accurate personal data of theirs data subjects”. 101EDPB — Guidelines 4/2019 on Article 25 - Data protection by design and by default (v2.0, October 20, 2020), p. 26. 102 In French “exactitude”; in English “accuracy”; in German “Richtigkeit”. 103 Working Party on Data ProtectionArticle 29 – Guidelines on automated individual decision-making and profiling for the application of Regulation (EU) 2016/679 (WP251, February 6, 2018), p. 14. See also D. D IMITROVA, “The Rise of the Personal Data Quality Principle. Is it Legal and Does it Have an Impact on the Right to Rectification?”, EJLT, 2021, p. 5-6. 104See Article 7.2 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of data by competent authorities with for the prevention, investigation, detection and prosecution of criminal offenses or the execution of penalties, and regarding the free movement of such data; and Article 74 of Regulation 2018/1725 of October 23, 2018 on the protection of natural persons with regard to the processing of personal data by the institutions, bodies, offices and agencies of the Union and on the free movement of such data, to which reference is made the need to check the quality of data for accuracy, completeness and topicality. 105 GBA — Recommendation 01/2020 of January 17, 2020 regarding the processing of personal data for direct marketing purposes, edge no. 111. See also A. JIEGA & M. FINCK, “Reviving Purpose Limitation and Data Minimization in Data- Driven Systems”, Technology and Regulation, 2021, p. 56. Decision on the merits 07/2024 - 42/114 as well as the context of the processing 106—in certain situations also to the detriment of the involved can play, especially when involved in an inappropriate and be profiled or segmented in an opaque manner based on their 107 (indirectly collected) personal data . The right to the protection of personal data from Article 8 of the After all, the Fundamental Rights Charter assumes that data subjects, in addition to the right to information included in Articles 13 and 14 GDPR also requires a certain amount of control have control over “how accurately” their personal data is collected. The Dispute Chamber also refers to the opening words of the Convention for the Protection of 108 persons with regard to the processing of personal data (Convention 108) who talks about “personal autonomy based on a person's right to control of his or her personal data and the processing of such data” 10, which translates, among other things, into the information and transparency obligation towards data subjects, as well as in the rights granted by the GDPR awards to them .10 111. The defendant does not make any comments regarding the B2C Data Quality services either plausible to what extent the lifestyle data, the derived data 11or the statistical data at district or municipal level were necessary to ensure that customers of B LACK T IGER BELGIUM would not have duplicate entries in their own databases, or to prevent returns. 112. With regard to the B2BDataQuality services, the defendant does not prove that the processing the financial specifications, memberships and vocational training in the Spectron database is necessary for the realization of non-marketing related activities interests — in view of the prohibition on processing KBO data for marketing purposes 11 — such as preventing returns or double entries. Storage limitation — 5.1.e) GDPR 113. In addition to the principle of minimal data processing, the controller also in the context of the necessity test principle of storage limitation contained in Article 5.1.e) GDPR 10CJEU, December 20, 2017, C-434/16, Peter Nowak v. Data Protection Commissioner (ECLI:EU:C:2017:994), edge no. 53. 10See, among others, HEN, “The Dangers of Accuracy: Exploring the Other Side of the Data Quality Principle”, EDPL, 1-2018, p. 36–52; G. ONZALEZFUSTER, “Inaccuracy as a privacy-enhancing tool”, Ethics and Information Technology, Springer, 2010, p. 87-88. 108 Council of Europe – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981. 10 Loosely translated as "personal autonomy based on a person's right to control his or her personal data and the processing of such data”. 110 J. HEN, “The Dangers of Accuracy: Exploring the Other Side of the Data Quality Principle”, EDPL, 1/2018, p. 43. 11“Other variables” in Document 5 and Document 6 included in the defendant's conclusions in response, p. 5. 112 See edge no. 74 in this decision. Decision on the merits 07/2024 - 43/114 the Disputes Chamber has established that the defendant has not clarified at any time, nor when he was asked the question during the hearing on February 22, 2023, nor in the in the context of the reopening of the debates, why the personal data for 15 years be kept in the databases from the last registration and how such retention period - an essential element to consider in the framework of the weighing of interests 114— actually contributes to the objective so accurately and process current possible personal data. The Disputes Chamber also notes that the justification for this significant retention period of 15 years from the last recording in the database in the joint GEB for CMX, Permesso and Spectron was identified as “requiring improvement” (“improvable”) and a term that requires “further justification” (“Addjustification for 15 years owned data retention”). Furthermore, it is unclear to what extent there are in addition to the most recent home addresses, e.g., also a history of the previous domiciles of involved was kept up to date and, if necessary, what the need for this would be, the intended objectives in mind. 114. In his response to the sanction form dated October 31, 2023, the defendant argues that the statement that the unlawful processing took place for at least 15 years occurred would be incorrect. According to the defendant, the disputed activities therefore have taken place for a maximum of three years, and in particular between entry into force of the GDPR and the filing of the complaint. In this regard, the Disputes Chamber reminds that the principle of storage limitation 116 already existed under the previous Directive 95/46 and is irrefutably the case in this case processing that continued after May 25, 2018. The defendant's argument that the controversial activities only for the limited period between the entry into force of the GDPR and the date of the complaint took place, therefore makes no sense. 115. Preliminary decision — The foregoing elements bring the Litigation Chamber to the conclude that the processing of their data accused by the complainants the Spectron and CMX databases, for Data Delivery respectively. the Data Quality services did not meet the necessity test or to fulfil. The Disputes Chamber considers the defendant's argumentation regarding the necessity of after all, the processing is not very convincing. 11Exhibit 17 (“Bisnode Belgium Retention Policy”) filed with the defendant's response. 11See Title II.3.3.3 Balancing test in this decision. 11Part 1 ("DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso") transferred to the Inspection Service, p. 6 and p. 15 in fine. 116 Article 6.1.e) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and with regard to free movement of that data (OJ L 281, 23 November 1995). Decision on the merits 07/2024 - 44/114 First of all, it goes without saying that the processing of personal data is not possible justified by simply citing the necessity of this processing 117 to continue economic activities. Accepting such circular reasoning would otherwise be the relevance and usefulness of the assessment adopted by the Court 118 Rīgas judgment will inevitably be compromised, since the necessity test precisely aims to determine and demonstrate to what extent the collected data in are concretely necessary to achieve the interests pursued. The The Litigation Chamber is therefore of the opinion that the analysis carried out by the defendant on this point does not meet the conditions of a proper necessity test. Secondly, the compliance with the principle of correctness under Article 5.1.d) GDPR, which by the defendant is brought forward in connection with the processing of personal data from CMX and Spectron for the Data Delivery services, as already stated11 under no circumstances be used as an interest in creating databases fill with missing personal data. Third, the Litigation Chamber is not convinced — and the documentation that the defendant also does not make it at all plausible — that there is no alternative, less drastic measures exist for the intended interest, namely compliance with the principle of correctness to be achieved by the customers of the defendant 12. The Disputes Chamber eight namely, it is insufficiently proven that the defendant's customers have no other could take measures to obtain the missing personal data, e.g collect this data directly from the data subjects - which means: could have had a say in their 'degree of accuracy' personal data. For the foregoing reasons, the Disputes Chamber decides that the defendant could not rely on Article 6.1.f) GDPR for the data processing the context of the B2C and B2B Data Delivery services. 116. The Disputes Chamber does not consider this to be the case either with regard to the B2C Data Quality services it is likely that all consolidated personal data in both databases are strict would be necessary to ensure the quality and reliability of the personal data already in the possession of the customers of LACK TIGER BELGIUM, in the light of it correctness principle under Article 5.1.d) GDPR. The defendant's customers — those in unlike the latter, they will indeed come into contact with those involved moreover, they already have (part of) their personal data - after all, this is possible 117 Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the defendant, p. 4; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the defendant, p. 4. 11 CJEU, May 4, 2017, C-13/16, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA 'Rīgas satiksme' (ECLI:EU:C:2017:336), edge no. 30. 119 See edge nos. 109 and 110 in this decision. 12See edge no. 109 in this decision. Decision on the merits 07/2024 - 45/114 inquire directly with the data subject to what extent their personal data still remains are current or need to be changed or supplemented. The Disputes Chamber: the retention period of 15 years is disproportionate to the intended interests. 117. With regard to the B2B Data Quality services, the Disputes Chamber rules that principle of necessity can only be complied with on the condition that the retention period of 15 years is shortened, as well as the service provision is limited to assigning a reliability score and the Data Quality service is not provided used to indirectly transfer data to third parties in order to: increase data quality. Consequently, the current B2B Data Quality is satisfactory services do not meet the necessity test. II.3.3.3. Balancing test 118. In order to rely on Article 6.1.f) of the GDPR, the controller must finally to make a consideration of the interests, and to demonstrate, that his own interests — or those of third parties — outweigh the interests or fundamental rights and freedoms of those involved. 119. The Disputes Chamber reminds that the assessment test is not aimed at preventing any effect on the interests and rights of data subjects, but on the prevention of disproportionate consequences as well as the assessment of the mutual weight of these interests . The fundamental rights and freedoms of the data subjects referred to in Article 6.1.f)GDPR does not only include the right to data protection and privacy, but also other fundamental rights, such as the right to liberty and security, the freedom of expression and information, freedom of thought, conscience and religion, freedom of meetings, association, the prohibition of discrimination, property rights or law on physical and mental integrity, either directly or indirectly through the processing 122 can be affected. The wording of Article 6.1.f) GDPR also assumes that, in addition to the fundamental rights of data subjects and other interests are also taken into account, such as social, financial or personal interests. In short, from a controller is expected to consider all relevant interests raised by the data processing can be influenced, including - but not limited to - 121 Data Protection Working Party Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 49. 12 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), pp. 35-37. Decision on the substance 07/2024 - 46/114 legal interests, financial interests, social interests or personal interests of the those involved. 120. Once these interests have been identified, it must then be determined which ones consequences the intended data processing could have for this 123 interests. The EDPB states: “32. […] The reference to abstract situations or the comparison of similar cases is not enough. The controller must assess the risks of infringement of rights of those involved; The determining factor here is how far-reaching the infringement is rights and freedoms of persons. 33. The intrusiveness can be determined, among other things, on the basis of the type of information collected (information content), its scope (information density, spatial and geographical range), the number of people involved, either in absolute numbers, or as percentage of the population involved, the concrete situation, the actual interests of the group of people involved and the available alternative means, as well as on the basis of the nature and the scope of the data assessment [by the controller].” Nature of the personal data processed 121. According to the EDPB, the controller must take into account the categories of personal data that data subjects generally regard as more private 124 125 or rather of a more public nature. In the present case it is established that the defendant processes data related to the family composition of data subjects, as well as their private email address or private mobile telephone number, which data that is rarely made publicly available by those involved. Also the exact date of birth and social class belong to, according to the Dispute Chamber categories of information that are generally considered more private by the data subjects than data of a public nature, such as their professional capacity. 122. The Disputes Chamber is also of the opinion that the position taken by the defendant about the non-processing of special categories of personal data, any requires nuance in the light of the case law of the Court of Justice. In his judgment In C‑184/20, the Court focused on certain information which, although not intrinsic are “sensitive” within the meaning of Article 9 GDPR, may reveal potentially sensitive information, such as the sexual orientation of those involved. For example, the Court ruled that “the concepts 'special categories of personal data' and 'sensitive data' should be broad 123EDPB – Guidelines 3/2019 on the processing of personal data using video equipment (v2.0, 29 January 2020), edge nos. 32-33. 124 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), pp. 46-47. 12See edge no. 108 in this decision. Decision on the merits 07/2024 - 47/114 be explained”, with the result that the processing of “personal data that is indirect may reveal sensitive information about a natural person” as well as “a processing of special categories of personal data within the meaning of those provisions constitutes” 12. 123. In the absence of specific elements available to the Disputes Chamber regarding the how those involved who belong to the same household become concrete characterized and linked together in the defendant's databases, and given the In the absence of a specific determination by the Inspection Service in this regard, the However, the Disputes Chamber may authorize the processing of special categories of personal data not to be taken into account in the context of the assessment test and none infringement of Article 9 GDPR by the defendant in the present case. 124. Finally, and notwithstanding the defendant himself acknowledges that he has the data of minors who belong to the same household as the complainants 127 has processed segmentation purposes, the Disputes Chamber first determines that the data concerned are limited to the gender and date of birth of the child. The Furthermore, the Dispute Chamber has no indications that the defendant has effectively transferred personal data of these minors to its customers. Context of data processing 125. In addition to the nature of the personal data, the controller must also: taking into account the amount of personal data processed, whether or not to combine it of these personal data with other databases, the extent of accessibility and/or publicity of the data after processing, the status of the controller (e.g., his market position, his relationship with the data subjects) and the like status of those involved (e.g., if vulnerable persons are involved). 126. In his defense the defendant states that as a data broker he is virtually does not maintain a direct relationship with those involved, but his expertise in big data 129 makes available to its customers. The Disputes Chamber believes that this specific context, where the defendant does not come into direct contact with those involved, there inevitably contributes to characterizing the processing activities it carries out be reduced by more limited transparency towards those involved, notwithstanding the various initiatives and measures taken by the 12CJEU, August 1, 2022, C-184/20, OT v. Vyriausioji tarnybinės etikos komisija (ECLI:EU:C:2022:601), marginal nos. 125-128. 127 See edge no. 79 in this decision. 12 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 47-49. 12Conclusions of the defendant's rejoinder dated March 7, 2022, p. 15 Decision on the merits 07/2024 - 48/114 defendant. From the foregoing it also follows that the person concerned is in fact forced to do so to consult the privacy statement on the defendant's website on their own initiative — or to carefully keep track of which companies they have sold to whom over the past 15 years have provided their personal data, have indicated these personal data to be transferred to B ISNODE BELGIUM — in order to be able to comprehend the extent of the personal data that the defendant processes about them. In addition, the large-scale130 processing activities of the defendant, in his capacity as data broker, inherently involves combining personal data with other data data files. This is by no means refuted by the defendant. 127. In view of these elements, the Disputes Chamber finds that the context of the processing in is essentially more disadvantageous for the data subjects, whose personal data is provided in an opaque manner be processed, compared to the benefit that the defendant and its customers receive from the get processing. In other words, the interests of those involved weigh more heavily through the weighing of interests. Impact of the processing for the data subjects 128. In addition, the controller must pay particular attention to the consequences — both positive and negative — for those involved, including possible future decisions or actions of third parties; situations in which the processing would may lead to the exclusion or discrimination of persons or defamation; or, in a broader sense, situations where there is a risk of damaging reputation, it 131 negotiating capacity or the autonomy of those involved. Important again that this assessment relates to the different ways in which those involved have a may experience a positive or negative impact due to their processing personal data. 129. During the hearing on February 22, 2023, the complainant refers to the assessment of his creditworthiness by a company, based on data provided by the defendant, 132 without the complainant being informed in advance. In response to a request for inspection directed to that company, which the complainant adds to his response conclusions, is clear to see that the information used to determine the company's creditworthiness 133 comes from the defendant. Certain authors have already warned about the risks related to invisible discrimination based on profiling data 13The defendant does not dispute this classification of the scope of the data processing in his rejoinder. 13 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), pp. 45-46. 13See edge no. 83 in this decision. 133 “Creditworthiness (based on the street where you live – source = bisnode” in the appendix to the Conclusions of the reply of the complainant, transferred to the Disputes Chamber on February 15, 2022. Decision on the merits 07/2024 - 49/114 such as the income of those involved, but also for the general loss of control data subjects experience with regard to their data 13. This represents the Disputes Chamber established that the non-transparent processing of personal data of by the defendant can have significant consequences for those involved who would like to purchase certain services from the defendant's customers. 130. In the so-called “Legitimate Interest Assessments” (LIAs) for both databases the defendant describes the consequences of the processing for data subjects as follows. By offering the defendant's customers the opportunity to create direct marketing profiles sets that would otherwise be difficult or impossible to create, the privacy of those involved is affected, which can cause annoyance, irritation or stress with them (“perceived or real lack of transparency and illegitimacy of processing” 13). Thereby In addition, the defendant acknowledges that those involved have only limited or none have more control over the processing of their personal data, as well as that it bypassing the sources that transfer their personal data to the defendant may require significant adjustments to their lifestyle. Accepted along the same lines the defendant that those involved are actually denied the opportunity to to refuse processing of their personal data by the defendant; instead they must make the effort themselves to exercise their right to object defendant (opt-out) 13. 131. Furthermore, the Disputes Chamber notes that the disadvantage identified by the defendant consequences for the data subject and, however, do not take the aforementioned risks into account discrimination by the defendant's customers, based on the information provided personal data. The Disputes Chamber refers in particular to contractual matters provisions with the defendant's customers, which only prohibit them from the 137 to use personal data provided for the benefit of a third party. For the rest the defendant's customers are therefore permitted to use the personal data for their own, to use direct marketing-related purposes, which are not further specified be defined in the agreement. 134 H. USCHMEIER , “Data Brokers and European Digital Legislation”, EDPL, 2023-1, p. 30 ISHR, “The dark industry of databrokers:needforregulation?”,InternationalJournalofLawandInformationTechnology,Volume29,Issue4,2021,p.395– 410; G. ONZÁLEZ FUSTER, “Inaccuracy as a privacy-enhancing tool”, Ethics Inf Technol, 2010, p. 91 et seq. 13In Dutch, “perceived or actual lack of transparency and illegality of the processing” (free translation), in Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) in the conclusions of the response of the defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from the defendant. 136Exhibit 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions of the response of the defendant, point 3 under title “2.3 The Balancing Test”; Part 6 (“Legitimate Interest Assessment Spectron 27082020”) laid down in the defendant's response, point 3 under title “2.3 The BalancingTest”. 137 Document 12 (“Piece 12 - Template counter-client Multi - voir articles 3.2 et 4.1”) as submitted by the defendant to the Inspection service in the context of the investigation: “3.1. The license d'utilization is approved by Bisnode Belgium for one utilization propre auClient, pour one action de type "marketingdirect" etdonc al'exclusiondetoutes prestations, directes or indirects pour des tiers (commepar exemple, toute forme de vente, de commercialisation, de cession, direct or indirect, à titre onéreux or gratuit, the license à des tiers or toute autre utilization par des tiers)”. Decision on the merits 07/2024 - 50/114 132. In this regard, the Disputes Chamber considers it remarkable that the defendant is his customers contractually prohibited from (in)directly informing the data subjects refer to the selection criteria that were applied, and that the defendant in addition monitors the content of the messages from his customers, which he must approve in advance approve138. In concrete terms, this means that the defendant guarantees the transparency of its customers has expressly and therefore consciously hindered the data subjects. In the In the context of the reopening of the debates, the defendant briefly confirms that: “with regard to professional customers[…]a licensing agreement[was]concludedfor the use of B2C data, which indeed places different obligations on the customers were imposed in order to safeguard the defendant's commercial interests. Thus the template agreement stipulated, among other things, that the selection criteria were not given to consumers could be communicated”. The Disputes Chamber rules that this restriction of the provision of information is contrary against the fundamental rights of those involved, if they receive more information wish to obtain information about the precise circumstances in which their personal data processed, are obliged to exercise their right of access towards the sender of the direct marketing messages or with the defendant. 133. In summary, the Disputes Chamber is of the opinion that the consequences of the data processing for the data subjects were not sufficiently taken into account by the defendant in the context of the balancing test, since the analysis by the defendant has limited itself to receiving direct marketing advertising by post as well as the exercise of their rights (including their right to object) and thus has not taken into account the known risks regarding hidden or indirect discrimination against complainants based on their profiling data, including of their creditworthiness. The Disputes Chamber must conclude in this regard that the interests of the defendant and his clients do not outweigh the interests, ten with regard to the interests of those involved. Reasonable expectations of those involved 134. To determine whether the third condition (balancing test) has been met, in addition to the Finally, the impact of the intended data processing must also be taken into account with the reasonable expectations of the data subjects, in accordance with Recital 47 GDPR. In particular, the controller must determine to what extent the 13Piece 12 (“Piece 12 - Template counter-client Multi - voir articles 3.2 et 4.1”) as submitted by the defendant to the Inspection service in the context of the investigation: “3.3.IlestinterditauClientdeseréférerauxcriteresdessélectionsutilisésdans sa communication commerciale aux consommateurs, directment or indirection. Avant chaque campaign, Bisnode Belgium doit recevoir, àbrefdélai, unexemplaire, par langue, du message commercial quiseraadressé au consommateur (à la fois sur l'enveloppe, la lettre, les pièces jointes et le script telephonique). Dans le cadre de la campaign déterminée, que le message soumis à et approuvé par Bisnode Belgium peut être diffuser [sic].”. Decision on the merits 07/2024 - 51/114 data subjects at the time and in the context of the collection of personal data can reasonably expect that data processing will be carried out for the intended purpose can take place. 135. Data brokers collect and aggregate numerous data points in order to create comprehensive and compiling detailed numerical profiles of the individual people involved. Afterwards they offer this profile data to customers (Data Delivery) or, as for the defendant since the termination of the Data Delivery services, to assess and improve the quality confirming data already in the possession of these customers (DataQuality). In the majority In most cases this happens without the prior consent of those involved — as in the present case — or without them becoming fully informed of the scope of these processing operations. 136. The Inspection Service, referring to previous case law of the Court of Justice 139 and following guidelines adopted by the EDPB 140, essentially establishes that the defendant various personal data, partly from the data subjects themselves and partly from other sources are obtained, on a large scale and beyond the reasonable expectations of the data subjects processed. The defendant always disputes this in his defenses the reasonable expectations of users must be taken into account different interests at stake. Referring to the legal doctrine posits the defendant, on the contrary, states that “the reasonable expectation criterion only relates on further processing within the meaning of Article 6(4) GDPR” 141 and is therefore not necessary is relevant with regard to the weighing of interests in the context of Article 6.1.f) GDPR. 137. The Disputes Chamber rules that the argument raised by the defendant, and with because the reasonable expectations of those involved cannot be taken into account are not used when assessing the legitimate interest of B LACK T IGER BELGIUM convinces. In this regard, the Disputes Chamber first refers to the answer of the DPO of B ISNODE B ELGIUM dated April 27, 2021, in which the defendant expressly declares the to take into account reasonable expectations of those involved (free translation and own underlining)142: 13CJEU, 11 December 2019, C-708/18, TK t/ Asociaţia de Proprietari bloc M5A-ScaraA (ECLI:EU:C:2019:1064), edge nos. 56- 58. 140 Working Party on Data Protection Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article 7 of Directive 95/46/EC (WP217, 9 April 2014); EDPB – Guidelines 3/2019 on the processing of personal data by means of video equipment (v2.0, January 29, 2020), p. 10 et seq. 141 D. DEBOT, The application of the General Data Protection Regulation in the Belgian context, Kluwer, 2020, p. 448-449, no. 1094 et seq. 14“Bisnode Belgium ensures that the preparation and attention of the persons concerned is taken into account exigeantdesesclientsqu'ilsluifournissentsystématiquementleprojetdetextedesmailings qu'ilsenvisagentd'adresser.Ceci the manner in which the procedure is followed by the assurance of the ceux-ci sont conforme à nos deontologie internal rules, the rules according to which sont toutes entières axée sur le respect des attentivees raisonnables des personnes concernées. Toujours dans le but de tenir compte des attentivees raisonnables des personnes concernées, Bisnode Belgium veille également être mentionnée dans la politique de confidentiality de ses partenaires sources de données.” Decision on the merits 07/2024 - 52/114 “Bisnode Belgium also ensures that reasonable considerations are taken into account expectations of the people involved by asking its customers to inform us systematically to deliver the draft text of the mailings they want to send. That's what we can do about it ensure that these are in accordance with our internal rules of conduct, which all aimed at respecting the reasonable expectations of those involved. To Bisnode ensures that the reasonable expectations of those involved are taken into account Belgium also ensures that this is stated in its privacy policy data source partners” 138. Furthermore, the Disputes Chamber recalls that Article 5.1.a) GDPR - which stipulates that personal data must be processed in a manner that is lawful, fair and proper is transparent towards the data subject — must be read in conjunction with Recital 39 GDPR, which stipulates that it must be transparent to data subjects “that they concerning personal data is collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed”. This core principle of the GDPR therefore means that any processing of personal data, regardless of the legal basis put forward by the controller, it transparency principle must be adhered to. 139. Having said this, the Disputes Chamber considers it important to make the distinction for the time being to emphasize between the information that data subjects receive regarding the processing, and the reasonable expectations that those involved may or may not assume with regard to a specific data processing. As already stated 14, those involved have no direct relationship with the defendant, with the result that they cannot act reasonably expect the indirect collection of their personal data by B ISNODE B ELGIUM and then B LACK TIGER BELGIUM . From the policy documents and model agreements that the defendant has submitted to the Inspection Service nowhere to be inferred that the data sources 144proactively and individually data subjects must inform them about the effective transfer of the personal data available to the defendant. In other words, the defendant can quit no guarantees whatsoever that those involved, that the privacy policy of the data source would no longer consult after such an adjustment to the privacy policy of the data sources in order to mention B ISNODE BELGIUM by name among the possible data recipients, are actually notified of the collection and subsequent processing of their data by the defendant. Such gap in the defendant's transparency policy therefore means that a negligible number of data subjects whose personal data are in the databases of the defendant were processed for the Data Delivery service only after receipt of 143 See edge no. 126 in this decision. 14These are the partners of the defendant, who provide him with personal data. Decision on the merits 07/2024 - 53/114 the first direct marketing communications by a customer of the defendant could be alleged of the processing of their data by the defendant. Due to the nature of the Data Quality services, which according to the defendant no personal data will be transferred to the defendant's customers on the other hand, the data subjects may never be informed of the processing and commercialization of their personal data by the defendant 14. 140. The Disputes Chamber therefore decides that the services provided by the defendant are offers customers anything but within the reasonable expectations of those involved and frameworks, even more so because these reasonable expectations must specifically relate to the processing by the defendant. The argument that those involved can adhere to it expect that their personal data will sooner or later be collected by a third party and will be exchanged, as this became part of a national media campaign in 2019 announced 14, is far from convincing in this regard. 147 141. In subordinate order, the Disputes Chamber again notes that, with the exception of: position of the defendant that “B2B stakeholders” reasonably expect that their 148 personal data are processed by third parties in a professional context, none There is a substantial difference between the two assessments regarding the Spectron database (B2B) resp. the CMX database (B2C). This alone testifies according to the Disputes Chamber will conclude that there has been a lack of proper consideration of all relevant matters circumstances of the data processing, as well as its consequences for B2C those involved, in the context of the weighing of interests carried out. The Dispute Chamber therefore rules that the analysis conducted by the defendant in any case does not meet the requirements meets the conditions of a proper assessment test. 142. If, after the weighing of interests, it is unclear whose interest prevails, then it is of course possible for the controller to provide additional guarantees to prevent the undesirable consequences of the processing for the data subjects mitigating 14. Such safeguards include, according to the Disputes Chamber necessarily proactive information to the individual involved about how 145I.e., except for the limited information that may have been communicated when the personal data were collected by the sources were passed on to the defendant, which the Disputes Chamber has already ruled to be insufficient guarantees in the light of the transparency obligation. 146 Document 14 (“Copie d'extraits de la campaign de presse de juillet 2019”) as submitted by the defendant to the Inspection service in the context of the investigation. 14See edge no. 102 in this decision. 148 Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions in response of the defendant: “It is likely or, at least, reasonable to assume that in a B2B context, data subjects are aware that personal data is being collected and commercialized (= reasonable expectations of the data subject). Indeed, it is even possible that the data subjects may even use the services of Bisnode themselves. At any rate, data brokerage is a common activity in a professional setting and the various official database ensure a large, public propagation of professional data, including personal data. Therefore, impact should be given a lesser weight in relation to the Spectron database” (own underlining). 149 Data Protection Working Party Article 29 - Opinion 06/2014 on the concept of "legitimate interest of the data controller" in Article 7 of Directive 95/46/EC (WP217, April 9, 2014), p. 21. Decision on the substance 07/2024 - 54/114 their personal data are processed, as well as simple and accessible mechanism through which those involved are given the opportunity to express themselves oppose (opt-out) the processing of their data by the defendant, and possibly also to exercise their right to erasure of data. 143. Finally, the Disputes Chamber rules that it is not within its powers to since the Disputes Chamber is a (non-autonomous) dispute resolution body of a 150 151 administrative authority, to submit preliminary questions under Article 267 TFEU to the CJEU. After all, in order to ensure the uniform application of Union law guarantees, this provision provides an instrument of judicial cooperation between the CJEU and the national courts, with a so-called preliminary ruling question may emanate from a court ruling in the context of a 152 procedure leading to a judicial decision. When assessing whether a referral body is a “judicial authority” within the meaning of Article 267 TFEU, the CJEU holds taking into account the legal basis of the body that submitted a request permanent character and its mandatory jurisdiction, the fact that the body is ruling After an adversarial procedure, the body applies legal rules and regulations 153 the independence of that body. However, the Disputes Chamber rules that the GDPR makes a clear distinction between the supervisory authorities and the judicial authorities 154. Where Article 267 TFEU through the preliminary ruling procedure for the CJEU aims to obtain a uniform interpretation during the judicial phase, as provided by the GDPR in the coherence mechanism, where the Disputes Chamber specifically points to the 155 procedure provided for in Article 64.2 thereof, with a view to a similar purpose but for the supervisory authorities under the GDPR. In any case, the Disputes Chamber considers this 150 HofvanBeroepBrussel (Marktenhof section), X t.GBA, Judgment 2023/AR/184 of 8 March 2023, p. 12; Court of Appeal Brussels (Marktenhof section), X t. GBA, Judgment 2022/AR/292 of September 7, 2022, p. 36; Brussels Court of Appeal (Markten Court section), X t. GBA, Judgment 2021/AR/320 of 7 July 2021, p. 24; Court of Appeal Brussels (Markten Court section), X t.GBA, Judgment 2020/AR/329 of September 2, 2020, p. 13. 151 Article 267 of the Treaty on the Functioning of the European Union—“The Court of Justice of the European Union shall have jurisdiction, by way of preliminary ruling, to rule (a) on the interpretation of the Treaties, (b) on the validity and interpretation of acts of the institutions, bodies, offices or agencies of the Union. If a question in this regard is raised before a court of one of the Member States, that court may, if it considers a decision on this point necessary for the delivery of its judgment, it shall request the Court to answer this question to make a statement. If a question in this regard is raised in a case pending before a national court or tribunal decisions are not subject to appeal under national law, this authority is obliged to refer the matter to the Court turn.” (own underlining). 152K. ENAERTS and P.VAN NUFFEL, European Law, Antwerp-Cambridge, Intersentia, 2011, edge nos. 836-837. 153CJEU, 31 May 2005, C-53/03, Syfait (ECLI:EU:C:2005:333), edge no. 29; CJEU, June 30, 1966, C-61/65, Vaassen-Göbbels (EU:C:1966:39); CJEU, December 10, 2009, C-205/08, Umweltanwalt von Kärnten (EU:C:2009:767), edge no. 35. See also K. LENAERTS ,I.MASELI&K.G UTMAN , EU Procedural Law, Oxford University press, 2015, p. 53. 154 See, among others, Article 78.3 GDPR (right to institute effective legal remedies against a supervisory authority) authority) and 79.2 GDPR (right to bring an effective remedy against a controller or a processor). 155 Article 64.2GDPR—“2. A supervisory authority, the chairman of the Committee or the Commission may request any that matters of general application or having legal effects in more than one Member State are examined by it Committee in order to obtain advice, in particular where a competent supervisory authority has fulfilled its obligations mutual assistance in accordance with Article 61, or to joint actions in accordance with Article 62.” Decision on the merits 07/2024 - 55/114 156 is in no way obliged to submit a preliminary question to the CJEU in this regard, as the decisions of the Disputes Chamber of the GBA are subject to appeal Marktenhof, and since the present case does not concern the validity of 157 an act of an institution, body or agency of the European Union. II.3.3.4. Decision 144. In view of the previous elements, the Disputes Chamber concludes that an infringement of Article 5.1.a), 5.2 and Article 6.1 GDPR, as the defendant has not properly has demonstrated that its interests as well as those of its customers are legitimate or that the processing is necessary for the realization of the interests pursued, and that these interests would outweigh the interests and fundamental rights of the those involved. In particular, the Disputes Chamber rules: ▪ that the processing of company data, insofar as this is personal data concerns, in the Spectron database in the context of “B2B” Data Delivery services, where the defendant has personal data of natural persons collects and enriches people from the KBO, with a view to it commercial supply of personal data to its customers direct marketing-related purposes, is expressly prohibited by law and can therefore not rely on the basis provided for in Article 6.1.f) GDPR; ▪ that the processing of consumer data collected in the CMX database in the within the framework of the “B2C” Data Delivery service, where the defendant personal data of consumers is collected and enriched with a purpose on the commercial supply of personal data to its customers, could not rely on the basis provided for in Article 6.1.f) GDPR due to the lack of necessity and the disproportionate impact on those involved. The commercial benefits that the defendant and its customers derive from the processing achieved do not outweigh the fundamental right of the those involved to respect their private sphere, given the nature of the personal data, the duration of the processing, and the limited provision of information to those involved. Finally, the defendant makes insufficiently plausible that such processing is within reason expectations of those involved could fall. ▪ that the processing of consumer data collected in the CMX database in the within the framework of the “B2C” Data Quality services, where the defendant 156 Article 267(2) TFEU. 15F. PITALE, “Chapitre VI. La faculté et l'obligation de renvoi ERRARO& C.ANNONE, Le renvoi préjudiciel, Bruxelles, Bruylant, 2023, p. 183. Decision on the merits 07/2024 - 56/114 collected, enriched and consolidated personal data of consumers to assign a reliability score to, for a fee personal data of consumers already in the possession of the customers of the defendant, so that they could improve the quality of their data by to format, standardize, correct and/or internalize them linking (matching), could not rely on the basis provided for in Article 6.1.f) GDPR. It has not been demonstrated that the processing was necessary for the compliance by the defendant's customers with the principle of fairness in accordance with Article 5.1.d) GDPR. The Dispute Chamber considers it to be insufficiently proven that the customers of BLACK T IGERB ELGIUM exclusively through the Data Quality services their interest in complying with the aforementioned principle or, in short, that the disputed processing is indeed carried out was necessary to ensure the completeness and accuracy of the personal data already in the possession of the defendant's customers. The Finally, the defendant does not sufficiently prove that such processing could fall within the reasonable expectations of those involved. ▪ that the processing of company data in the Spectron database in the within the framework of the “B2B” Data Quality services, where the defendant personal data of natural persons affiliated with companies collects, enriches and consolidates to, for a fee, a to assign a reliability score to personal data already in the possession of by the defendant's customers, so that they can ensure the quality of their can improve data by formatting, standardizing,... correct and/or internally link (matching), cannot rely on the basis provided in article 6.1.f) GDPR. Personal data originating from the After all, KBO may not be used or distributed for direct marketing related purposes. In addition, the Disputes Chamber considers it insufficiently demonstrated that the processing of personal data in Spectron is necessary to ensure the completeness and accuracy of the personal data already in the possession of the defendant's customers insurance, as well as to protect non-direct marketing related interests accomplish. Finally, the Disputes Chamber rules that the parties involved: cannot reasonably expect, partly due to the lack of proactive information provision, to the processing of all in the Spectron database included categories of personal data. Decision on the merits 07/2024 - 57/114 II.4. Transparency towards those involved (Article 12.1, Article 13.1 and 13.2, Articles 14.1 and 14.2, Article 5.2, Article 24.1, and Article 25.1 GDPR) II.4.1. Position of the Inspection Service 145. As part of its investigation, the Inspection Service has two websites of the defendant analyzed and determined that the link to the privacy statement on the first website was 158 redirects visitors to the second website 15, where they read the privacy statement can consult. However, the Inspection Service notes that the information provided by the defendant makes available on the second website is neither transparent nor easy accessible to the data subjects, the information about the processing about it has been distributed on various web pages, and also contains incorrect information. 146. Furthermore, the Inspection Service notes that the information provided by the defendant is incomplete, as not all are required by Articles 13 and 14 of the GDPR information is communicated effectively. There is nothing in particular anywhere referred to the right of data subjects to withdraw given consent, and nor the right of data subjects to file a complaint with the GBA. Furthermore the contact details of the defendant's DPO are not stated on the website, although the DPO has a personal email address. II.4.2. Position of the parties 147. The complainant states that B LACK TIGER BELGIUM has stored personal data in a non-transparent processed, as he was not informed of the fact that the defendant is personal data had been collected and processed for its own objectives. The complainant posits that he only became aware of the extent of this processing in the context of the exercise of his duties right to inspect his personal data. With regard to the manner in which the defendant has fulfilled its obligation to provide information to those involved, in particular, the complainant points out that during the past 17 years and not since entry into force of the GDPR was not contacted at any time by the defendant or its processors, or by joint controllers who would have received personal data from the complainants, with a clear explanation of exactly which personal data they process. Thus, the defendant, as well as any other recipient of the personal data in question, according to the complainant systematically failed to notify those involved in accordance with Articles 13 and 13 14 GDPR about the processing of their data. In this regard states the complainant that the defendant cannot possibly rely on the exception provided 15https://www.permesso.be/nl/privacybeleid. 15https://bisnodeandyou.be. Decision on the merits 07/2024 - 58/114 in Article 14.5.b) GDPR, as he has the necessary data to contact with those involved in order to be able to fulfill his information obligation. During the hearing of February 22, 2023, the complainant also emphasizes that the defendant uses different privacy statements, which makes it difficult for those involved to find out which rules apply to the processing of their data personal data. 148. The defendant disputes the finding that it would not be easy for those involved to find concrete information about data processing, and states that he made a conscious choice for a layered approach to its privacy statement, depending on the capacity of the data subject (consumer/professional), in order not to work with too extensive and information that is incomprehensible for these reasons. According to the defendant, this method leaves the allows those involved to navigate directly to the part of the statement that they want to read. Regarding the Inspection Service's argument that “a data subject does not can reasonably expect that his data will be commercialized simply by the existence of a cooperation agreement with certain public or commercial entities sources” the defendant argues that he has taken the necessary measures to ensure that data subjects are aware of the processing carried out. The Defendant also refers to the privacy statement of the KBO, “which explicitly states: informed that the personal data are processed for the purpose of reusing the data data, whether or not for commercial purposes”. 149. During the hearing on February 22, 2023, the Disputes Chamber asks what the responsibility of the defendant if the sources or partners fail to do so to provide data subjects with information about the processing of their data personal data by B LACK T IGERB ELGIUM. According to the defendant, this concerns first of all a contractual matter between the defendant and his sources respectively. customers, although the defendant always checks whether the standard wording is actually included the privacy statement of the sources respectively. customers of the defendant. Also prior to the sending of commercial messages by post by the defendant's customers, the defendant has a right to inspect the draft communication as well as the right to request adjustment of the communication, if necessary. For the rest, the defendant has concerns about the appropriate level of control that the Litigation chamber of the defendant would expect with regard to his partners and customers, and more specifically whether the defendant must regularly check with each partner and customer whether the privacy statement contains the standard wording. Finally, the defendant opines to be aware of certain shortcomings in its privacy statement, although this shortcomings have now been resolved in the new privacy statement160. The fact that the 16https://www.blacktigerbelgium.tech/privacy-policy/. Decision on the merits 07/2024 - 59/114 defendant does not mention the right for those involved to collect their consent would also be irrelevant, as the defendant only relies on his legitimate interests for the disputed data processing. II.4.3. Judgment of the Disputes Chamber 150. As regards the lawfulness of the disputed processing, it is established that the reasonable expectations of those involved are relevant — contrary to what the defendant puts forward in his defense — to assess to what extent this may be the case of lawful data processing that would be based on the legitimate interest 161 interests of the defendant or his customers. Those are reasonable expectations also to be taken into consideration when determining the time at which the information is provided 162 about the processing is communicated to the data subjects, taking into account the generality principle that those involved should not be surprised by the purpose of the processing of their personal data 16. The Disputes Chamber has in previous cases decisions has repeatedly emphasized that transparency is of crucial importance to those involved control over their personal data and to ensure effective protection of it to safeguard personal data 16. The transparency obligation in the GDPR requires namely that all information or communication regarding the data processing of must be easily accessible and understandable to those involved, 165 but also timely provided to those involved 16. 151. In the present case it is first of all established that the data processed by the defendant personal data were not collected directly from the complainants. Consequently, single Article 14 GDPR applies 16, the first two paragraphs of which record the information to be provided to data subjects: a. the identity and contact details of B LACK T IGER B ELGIUM and, in where appropriate, of his representative; b. where applicable, the contact details of the DPO; c. the processing purposes for which the personal data are intended; d. the legal basis for the personal data processing; 161 See edge nos. 134 et seq. in this decision. 16Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679 (WP260, rev. 01, April 11, 2018), edge no. 28. 163 Ibidem, edge no. 45 in fine. 16See, among others, Decision 04/2021, edge no. 167; Decision 47/2022, edge no. 127 ff.; Decision 84/2022, edge no. 76. 165 Recital 39 GDPR. 16Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679 (WP260, rev. 01, April 11, 2018), edge no. 48. 167 Ibidem, edge no. 26 in fine. Decision on the merits 07/2024 - 60/114 e. the categories of personal data concerned; f. where applicable, the recipients or categories of recipients of the personal data; g. where appropriate, that B LACK TIGER BELGIUM intends to: to transfer personal data to a recipient in a third country or to an international organization; whether or not there is an adequacy decision the Commission exists or BLACK T IGERBELGIUM appropriate or suitable has taken guarantees in the case of the situations referred to in Article 46, Article 47 or Article 49.1.2°GDPR refers to the transfers, as well as the data subject and a copy can obtain these or where these guarantees can be obtained consulted; h. the period during which the personal data will be stored stored, or if that is not possible, the criteria to determine that period; i. the legitimate interests of B LACK TIGER BELGIUM or a third party, if the processing is based on Article 6.1.f) GDPR; j. that the data subjects have the right to request B LACK T IGERBELGIUM access to and rectification or deletion of personal data or request restriction of the processing concerning them, as well as the right against processing to object and the right to data portability; k. when the processing is based on Article 6.1.a) GDPR or Article 9.2.a) GDPR, it given that the data subjects have the right to give their consent at any time to withdraw, without this affecting the legality of the processing based on consent before its withdrawal; l. that data subjects have the right to file a complaint with a supervisory authority; m. the source from which the personal data comes, and where applicable, whether they come from public sources; n. the existence of automated decision-making, including the in profiling referred to in Articles 22.1 and 22.4 of the GDPR, and — at least in those cases — useful information about the underlying logic, as well as the importance and expected consequences of that processing for the data subjects. 152. Pursuant to Article 14.3 GDPR, which relates more specifically to the modalities of the provision of information and as such forms an inherent addition to the core obligations arising from the two preceding paragraphs of Article 14 GDPR, the aforementioned information must be communicated to the decision on the merits within certain periods 07/2024 - 61/114 those involved. In general, the rule applies that the controller: those involved within a reasonable period, but no later than one month after acquisition of their data must be informed about the processing, depending on the specific nature circumstances thereof (14.3.a) GDPR). According to the Transparency Guidelines under 168 However, under the GDPR, this period can be shortened to the extent that the data collected personal data are intended for contacting the data subjects, in which case case the information is required at the time of first contact with the data subject are provided (14.3.b) GDPR). Finally, the one-month period can also be shortened if the personal data is communicated to a recipient within the meaning of Article 4.9) GDPR. In such circumstances, those involved must be informed be processed no later than the time at which their personal data is provided (14.3.c) GDPR). 153. In its defenses, B LACK TIGER BELGIUM states that those involved were informed on the basis of the mandatory indications of the name of the defendant in the advertising messages that his customers addressed to those involved 16. Concrete means This means that in most cases those involved only meet for the first time through the — often unwanted — advertising messages were informed of the existence of the defendant, as well as the fact that the defendant may have their personal data at some point collected and processed. The Disputes Chamber presupposes such an approach aims to comply with the time provided under 14.3.b) GDPR, i.e. to inform the data subjects inform at the time of actual contact with the data subject, without that this necessarily takes into account the time period between initial data collection and initial contact. In the guidelines on this matter transparency under the GDPR it is nevertheless expressly stated that the period of one month provided under Article 14.3.a) GDPR, a maximum period is 170, which is not possible can be extended but can only be limited depending on the purposes of the processing. 154. The Disputes Chamber is well aware that the data sources of the defendant have an obligation to provide information in accordance with Article 14.3.c) GDPR, in particular when they provide personal data in their possession to B LACK TIGERB ELGIUM. The Dispute Chamber emphasizes, however, that it is in principle up to the controller who transfers data — and therefore not to the recipients, in this case the customers of the defendant — belongs to Article 14.3.c) GDPR to provide the information as provided under Articles 14.1 and 14.2 GDPR to the data subjects. In concrete terms, all serve 16Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679 (WP260, rev. 01, April 11, 2018), adopted by the EDPB. 169 See edge nos. 64, 66 and 137 in this decision. 17Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679 (WP260, rev. 01, April 11, 2018), edge no. 28. Decision on the merits 07/2024 - 62/114 successive controllers — i.e., the defendant's partners who provide him with personal data, the defendant himself, respectively. the customers to whom the defendant, if necessary, transfers personal data - i.e. separately to inform data subjects about the data processing they carry out themselves. 171 155. Moreover, it follows from an a contrario reading of Article 14.5.b) GDPR that the provision of information in accordance with Articles 14.1 and 14.2 GDPR is logically proactive should be done, in contrast to the rather passive provision of information in which Article 14.5.b) GDPR provides an exception. The indirect collection of After all, personal data of the data subjects does not presuppose that the provision of information to those involved also only serves indirectly to happen. On the contrary, from the case law of the Court of Justice as well as from the 172 provisions of the GDPR, it follows that it is exclusively applicable to the controller who determines the means and purposes of the processing, has the right to inform those involved in a loyal and transparent manner. The The Dispute Chamber therefore concludes that it is primarily up to the defendant has the right to proactively inform those involved about the processing of their personal data by B LACK TIGER BELGIUM, in accordance with Article 14 GDPR. 156. The fact that the partners of the defendant, who in the context of their agreement, the by transfer personal data collected from them to the defendant himself for a fee Providing information to those involved does not affect the foregoing. The After all, the Dispute Chamber is not convinced by the organizational measures taken by the defendant has taken steps to “indirectly” comply with his transparency obligation, whereby the data sources are obliged to include this in their privacy statement to expressly refer to the personal data processing carried out by the defendant. In that respect, the Disputes Chamber refers to the template for the agreements with data sources 173 that stipulate the following (proper underline)7: 171 See edge no. 157 below. 17Recital 60 — “In accordance with the principles of fair and transparent processing, the data subject should be informed of the fact that processing is taking place and its purposes. The The controller must provide the data subject with the further information necessary to act against the data subject to ensure proper and transparent processing for the data subject, taking into account the specific circumstances and the context in which the personal data are processed. […]”; Article 14 GDPR — “1. When personal data does not belong to have been obtained from the data subject, the controller shall provide the data subject with the following information: […]” (de Dispute Chamber underlines). See also CJEU, October 1, 2015, C-201/14, Smaranda Bara et al. v. Președintele Casei Naționale de Asigurări de Sănătate (ECLI:EU:C:2015:638), edge no. 31. 173 Document 10 (“Piece 10 – Template contracts source – voir article 5”) as submitted by the defendant to the Inspection service in the context of the investigation, p. 4. 17“Vosdonnéesàcaractèrepersonnelpeuventêtretransmisesesàdespartenairesextérieurs,quipeuventles utiliserpourvous envoyer des informations commerciales ou des promotionalnelles ou pour les commercialiser à ces fins. Nous ne Transmitting the characteristics of the external parts guaranteeing the correct characteristics of the external parts Bisnode Belgium SA (Allée de la Recherche 65, 1070 Anderlecht). Toutefois, [X] ne sera en aucun cas responsable de Decision on the merits 07/2024 - 63/114 “Your Personal Data may be transferred to external partners who may use it to send you commercial information or promotional offers or for these commercial purposes. We only pass on such data to external parties partners who ensure the correct processing of this data, including Bisnode Belgium NV (Researchdreef 65, 1070 Anderlecht). However, [X] is not in any case liable for the use of this data by external partners. Your personal data can be used or commercialized by Bisnode Belgium to be able to provide you with personalized [sic] offers (possibly based on your marketing profile), to conduct market research or for data already present in the database of other companies to validate, correct or combine link (for more information about the processing of personal data by Bisnode Belgium consult www.bisnodeenu.be)”. The Disputes Chamber rules that such wording (“can be used”), does not provide sufficient certainty to those involved about the nature and extent of the processing of their personal data by the defendant. Accordingly, none can be done here there is a transparent and honest provision of information to those involved by the data sources. 157. The next question that arises is to what extent the defendant can rely on the exception to the information obligation, as provided for in the same provision. Article 14.5 GDPR provides that the obligation to provide information to data subjects does not apply is when and to the extent that 17: (a) the data subjects already have the information; b) the provision of that information proves impossible or disproportionate would require effort, or to the extent that the provision of information achievement of the purposes of the intended processing is likely to be impossible or threatens to seriously jeopardize it. In such cases the controller takes appropriate measures to protect the rights, the protect freedoms and the legitimate interests of data subjects, including making the information public; c) obtaining or providing the data is expressly prescribed by Union or Member State law to which the controller is subject l'utilisation de ces données par des partenaires externes. Vos données à caractère personnel être utilisées ou commercialization by Bisnode Belgium according to the proposal of the personalized offers (event and function of the profilmarketing), d'effectuerdesétudesdemarchéoudevalider, correcterourelierdesdonnéesdéjàprésentesdanslesbases the young entrepreneurs (pour more information about the characteristics of the young personnel of Bisnode Belgium, consultez www.bisnodetvous.be.” 17See also Data Protection Working Party Article 29 – Guidelines on transparency under Regulation (EU) 2016/679 (WP260, April 11, 2018), edge nos. 58 et seq. Decision on the merits 07/2024 - 64/114 and that law provides for appropriate measures to protect the justified person protect the interests of the data subject; or d) the personal data must remain confidential pursuant to a professional secrecy under Union or Member State law, including a statutory duty of confidentiality. 158. The Disputes Chamber determines that exceptions [c] and [d] do not apply to the processing by the defendant. Exception [a] is also not met since the 176 privacy statement on the website is incomplete and the standard paragraphs in the 177 privacy statements of the data sources are generically worded. What the exception [b], the Disputes Chamber refers to the categories of defendant processed personal data as well as for the intended purposes, already were explained above 17. It cannot be denied that the defendant is at least in possession of the contact details of those involved, since such data as well as the “identification data” form a common “attribute”. for the three databases 17, and the business model of B LACK T IGERB ELGIUM calculated consists of collecting, aggregating and then making available so-called “contact points” with which the defendant's customers subsequently communicate can improve their marketing and communication strategies. So the Disputes Chamber has sufficiently proven that the provision of the information provided under Article 14 GDPR to data subjects whose personal data the defendant has collects and processes is not impossible. 159. Furthermore, it is not clear, and the defendant does not make it at all plausible, to what extent compliance with the principle of transparency with regard to those involved would seriously jeopardize objectives. The only reference to the necessary efforts that the defendant would have taken and raises in his defenses, is furthermore not further substantiated by the documents submitted. When asked if those involved would receive a privacy statement individually, answers the 180 defendant in both LIAs submitted concisely that an individual provision of information would “require a disproportionate effort”: 17See edge no. 107 and 108 in this decision. 17See edge no. 156 in this decision. 178 See edge nos. 107 and 108 in this decision. 17CMX; Permesso and Spectron. 180 Document 5 (“Legitimate Interest Assessment Consu-Matrix 27082020”) filed with the conclusions in response of the defendant; Document 6 (“Legitimate Interest Assessment Spectron 27082020”) filed with the conclusions of the response from the defendant. Decision on the merits 07/2024 - 65/114 However, this position cannot be accepted in light of Article 14 GDPR. The impossibility or disproportionate effort must be directly related with the fact that the personal data have not been obtained from the data subjects. In addition A controller who wants to make use of the exception must Article 14.5.b) GDPR based on the argument that provision of the information would require a disproportionate amount of effort, the effort it would take to get the information to be provided to the data subject against the effect and consequences for the data subject data subject when he or she does not receive the information .181 160. The Disputes Chamber hereby emphasizes that Article 14.5 of the GDPR is an exception the right of data subjects in that sense must be interpreted restrictively. It is established in this case that BLACK T IGERB ELGIUM must have contact details of the data subjects in order to to be able to achieve the intended objectives of the various databases. The Disputes Chamber further emphasizes that the defendant does not necessarily have the contact details of all parties involved must be available before they can be shared together to be informed once; as soon as BLACK TIGER BELGIUM has a postal address or an e-mail has, the company is in principle able — and therefore obliged — to provide the specific to directly inform data subjects about the collection and processing of their data personal data, in line with Article 14 GDPR. 161. In this regard, the Disputes Chamber refers to the decision of the Polish data protection authority (Urząd Ochrony Danych Osobowych, hereinafter “UODO”), which on 25 March 2019 imposed a fine on B ISNODE POLAND for failing to to directly inform data subjects for whom the company had contact details about the 182 processing of their personal data. The Disputes Chamber rules that the defendant could have taken this 2019 decision into account in the present case analysis dated August 27, 2020 regarding the obligation to provide information to those involved in Belgium, although he apparently did not do so. Whatever the case, the Disputes Chamber states that it is unacceptable 5 years after the entry into force of the GDPR 18Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679 (WP260, April 11, 2018), edge nos. 62 and 64. 182 Urząd Ochrony Danych Osobowych – Decision ZSPR.421.3.2018 of March 15, 2019, available on the website of the Polish Data Protection Authority (UODO): https://uodo.gov.pl/decyzje/ZSPR.421.3.2018#. Despite the profession dISNODPOLAND was subsequently imposed, the UODO's decision remained intact, but the administrative fine was imposed EUR 220,000 reduced. Decision on the merits 07/2024 - 66/114 to those involved whose contact details are already known, and especially when concerns electronic contact data, not to inform you directly about the processing of their personal data. 162. Although the Disputes Chamber acknowledges that the defendant has made efforts to lack of direct, individual provision of information at least 183 to make it public on its website, the Disputes Chamber rules that this failure to comply with the informing those involved in a timely and individually constitutes a violation of the obligation to provide transparent — and therefore complete — information pursuant to Articles 12 and 14 GDPR to provide data subjects with information about the processing of their personal data, in the particularly when the data such as these are collected indirectly. In such a circumstance it is certain that data subjects cannot be involved expects them to consult the defendant's website regularly or not. 163. In addition, the Disputes Chamber has already established 184 that the categories “marketing profiles”, “consumer interests” and “family composition” not mentioned were intended for consumers 18 in the privacy statement dated March 31, 2021, nor in the explanation on the current website of LACK TIGERB ELGIUM186. The fact that the defendant in his defenses dated September 11, 2023, filed in the context of the limited reopening of the debates, clarifies that the privacy statement on the LACK website TIGERB ELGIUM only indicates which personal data are in the context of its current activities are processed does not prevent the privacy statement for consumers at the time of the investigation was not complete — which the defendant incidentally, recognized in his rejoinder dated March 7, 2022 - and therefore in was a violation of Article 14 GDPR. 164. In his response to the sanction form, the defendant states that the obligation to to inform those involved individually and proactively, was not extensively discussed in the written conclusions and no contradictory debate has been opened on this point by the Dispute Chamber 18. The defendant also disputes the claim that he deliberately did not would provide complete and sufficiently detailed information to those involved. 165. In this regard, the Disputes Chamber first notes that the manner in which the those involved are informed by the defendant or by the data sources about the processing of their personal data, was indeed discussed in both the written conclusions as during the hearing on February 22, 2023. In the 18Data Protection Working Party Article 29 - Guidelines on transparency under Regulation (EU) 2016/679 (WP260, April 11, 2018), edge nos. 64. 184 See edge nos. 107 to 109 in this decision. 18Part 12 (“012 Screenshots of Bisnode Belgium website”) in the inventory, pp. 45-48. 186 https://avg.blacktigerbelgium.tech/uw-consumentengegevens/wat-consument/, accessed on August 4, 2023. 18Response from the defendant to the sanction form dated October 31, 2023, p. 1. Decision on the merits 07/2024 - 67/114 investigation report, the defendant is sufficiently informed that the transparency obligation, both in the case of direct and indirect data collection applies. The Disputes Chamber also emphasizes that the transparency obligation under the GDPR ensues, already applied under Directive 95/46, and as such requires no further interpretation required by the Disputes Chamber. Furthermore, the complainant refers in his complaint as well as in his written defenses to the fact that the processing of his personal data took place “without [his] knowledge”, “without contact” (due to the defendant), and that he “has not received any notice or notification from her according to Art 13 and 14 of GDPR, when they have collected [his] data”8. The defendant was also informed through the conclusion letter dated November 29, 2021 of the possible infringement of Article 14 GDPR, of which paragraphs 1 to 4 together must be read and adhered to, as well as Article 5.2 in conjunction with 24.1 GDPR, “regarding to the obligation for the controller to provide data subjects with concise information yet provide complete, transparent and understandable information about the personal data that are processed, as well as the requirement for the defendant to to guarantee and be able to demonstrate compliance with these obligations”. written procedure before the Disputes Chamber, the defendant was therefore free to express his views defenses with regard to the grievances of the complainant as well as those raised by the Inspection Service established lack of evidence that the defendant has fulfilled its obligations under Article 14 GDPR had been complied with appropriately. Also during the hearing, after the complainant expressed his dissatisfaction about “the collection of numerous personal data without being informed of this”8, the defendant the opportunity to express his position regarding the obligation imposed on B ISNODE B ELGIUM and subsequently B LACK T IGER BELGIUM rested, in accordance with the regulations of Article 14 GDPR, to be explained. The Disputes Chamber also noted that the defendant then merely replied that “the sources as well as the customers of B LACK TIGER B ELGIUM become contractually obliged to inform the data subject about the transfer of their personal data to resp. its communication by B LACKT IGERBELGIUM ”. Finally, the defendant was given one last opportunity to sign his position to the Disputes Chamber, in response to the sanction form dated October 31, 2023. In view of the foregoing elements, the Disputes Chamber rules that the defendant has indeed been given several opportunities to defend himself against the allegation that he did not inform the data subjects in an appropriate manner — i.e., in a complete manner transparent and proactive manner, taking into account the context of the processing 18 Complaint form as submitted by the complainant on January 28, 2021. 18 Official report of the hearing dated February 23, 2023, p. 13. Decision on the merits 07/2024 - 68/114 informed, in accordance with Article 14 GDPR. The argument that the defendant in his response to the sanction form is therefore manifestly unfounded. 166. Given the lack of a complete privacy statement190 as well as the conscious — as stated the considerations of interests submitted to the Disputes Chamber appear to be sufficient. 191— choice of the defendant for not directly informing those involved about the processing of their personal data by B LACK TIGER BELGIUM, despite the fact that the defendant has the contact details of the majority of those involved, according to the opinion Dispute Chamber that the defendant at least vis-à-vis the parties involved contact details were known, is subject to Article 14 GDPR due to serious negligence violated. II.5. Handling requests from data subjects to exercise their rights (Article 12.1 and 12.2, Article 15.1, Article 5.2, Article 24.1, and Article 25.1 GDPR) II.5.1. Position of the Inspection Service 167. According to the Inspection Service, the defendant does not demonstrate that he - in the context of the handling of their request for access — has informed the complainants effectively and transparently about all available information about the source of their personal data accordingly Article 15.1.g) GDPR. After all, the complainants were not informed about how the defendant obtained their personal data from the stated sources, and when. In addition the Inspection Service determines that the information provided is too vague and based on too much a general type answer, with the result that the complainants do not receive a sufficient answer have received the measure. Finally, according to the Inspection Service, the defendant does not indicate that in his letter to both complainants he stated the right to erasure of data and the right to object effective and transparent; the Inspection Service determines that existence of these rights was communicated to only one of the complainants. II.5.2. Position of the parties 168. The complainant states that B LACK T IGER BELGIUM has violated Article 12.3 GDPR by to provide electronically requested information on paper. The complainant argues that the defendant has not complied with its obligation under Article 12.3 GDPR, as the responses to the requests for access via paper mail were submitted to the those involved, notwithstanding the fact that the defendant requires that those involved 190 See edge no. 163 in this decision. 19See screenshot at edge no. 159 in this decision: “Isafairprocessingnoticeprovidedtotheindividual,ifso,how?Arethey sufficiently clear and up front regarding the purposes of the processing? We don't inform each and every data subject personally as this would involve a disproportionate effort. However, our sources must explicitly mention the possible use of data by Bisnode in their privacy notices, we are mentioned in every mail […]” (own underlining). Decision on the merits 07/2024 - 69/114 request access to their personal data via the defendant's website submission, in other words in an electronic manner, whereby data subjects also provide their email addresses. Regarding the mention of the sources of his personal data, the complainant states during the hearing — referring to the response to his request for access — that the defendant reports statistical and neighborhood data about the bearing, which, however, cannot possibly come from the sources which the defendant lists in his answer. However, during the hearing the complainant leaves: know that he has deliberately not requested the erasure of his data to avoid these being removed prior to a decision by the Dispute Chamber. In addition, the complainant believes that he was unable to simply reply to the defendant's response as the information was sent to him by post provided, rather than electronically. The complainant also refers to the recent one 192 case law of the Court of Justice, which established that controllers are obliged to inform data subjects about the precise identity of the recipients of their personal data, while the defendant would have merely mentioned the categories of personal data in his response to the requests for inspection submitted by the complainants. During the hearing, the complainant rejects incidentally, to the lack of contact details of the DPO in the answer to his request for access, and he is annoyed that he made the aforementioned on his own initiative had to look up contact details on the website. 169. With regard to the requests for information submitted by the complainants, the defendant that he received letters from his DPO on November 13, 2020 respectively. December 23, 2020 has provided information “about the processing of their personal data: the files in which they are included and the purposes of the processing, as well as the legal basis for the processing, the existence of a right to object, the categories of data processed data and information kept about the complainants, the recipients of the data, the period for which they are kept, the source of the data, and so forth". The defendant disputes that the answers he provided to both complainants can be regarded as a so-called “general type answer”, since the defendant has informed both complainants separately about (i) the specific source of their data, (ii) the fact that these data were sourced by the complainants themselves provided in their capacity as a customer, and (iii) the question or cooperation with relevant sources are still active. The use of a form letter testifies according to the defendant, moreover, of the good internal organization of the defendant respond to requests from data subjects. 192 CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3). Decision on the merits 07/2024 - 70/114 In addition, the defendant refutes the Inspection Service's finding that one of the the complainant was not informed of the existence of his right to erasure and opposition. The defendant refers to the letter addressed to the complainant, of which the second point explicitly states the two aforementioned rights. In response to the complainants' grievance regarding the sending of the response by post, the defendant clarifies that he does not require proof of identity from those involved, of all places to promote the exercise of the rights of data subjects. In order to reduce the risk of to avoid unauthorized disclosure of data in case of identity theft, the defendant has therefore opted for sending by post, as known to him address of the data subject. With regard to compliance with its obligation to provide information to those involved, the defendant during the hearing to the standard wording that the sources of B LACK TIGER BELGIUM in their privacy statement, and with which those involved be informed of the collection of their personal data by the defendant. The defendant also states that those involved and detailed information about the sources of can obtain their data in the context of a request for access. because of this the defendant is not obliged to provide the precise identities of all sources in the privacy statement, as it may contain dozens of sources can be listed while the personal data of an individual data subject only come from a limited number of the listed sources. With regard to the mention, in the response to a request for access, of the categories instead of the specific recipients to whom data from the complainants were effectively transferred, the defendant posits that this approach at the time was after internal consultation and with due observance of the case law at the time. According to the defendant cannot therefore be blamed for not having taken this into account subsequent case law of the Court of Justice. In addition, the defendant emphasizes that the complainants' requests for access are detailed were answered, and the complainants subsequently have no additional request submitted in order, among other things, to obtain additional information about the precise details sources of the personal data, the specific recipients of his personal data, or have possibly incorrect information corrected. Finally, the defendant recalls Please note that the complainants have never requested the deletion of their data. Decision on the merits 07/2024 - 71/114 II.5.3. Judgment of the Disputes Chamber Reply by post 170. The Disputes Chamber determines on the basis of the documents submitted that both complainants have a received a response by post, although their original access requests were electronic were sent. The defendant does not dispute this, nor in the context of the written statement defenses nor during the hearing. 171. However, Article 12.3 GDPR expressly states: “3. The controller shall provide the data subject without undue delay and in any event within one month of receipt of the request under Articles 15 to 22 information about the action taken on the request. Depending on the complexity oftherequestsandofthenumberofrequests,thatdeadlinecanbeadditionaltwoifnecessary months are extended. The controller informs the data subject one month after receipt of the request of such extension. When the data subject submits his request electronically, the information will be provided if possible provided electronically, unless the data subject requests otherwise. 172. Article 15(3) in fine GDPR states that when the data subject submits his request electronically, and does not request any other arrangement, the information in a common electronic form must be provided, whereby the usage must be determined from the 193 position of the data subject and not of the controller. Therefore, the Disputes Chamber has sufficiently proven the infringement of Article 12.3 of the GDPR. Notwithstanding the investigation report, only violations of articles 12.1 and 12.2 GDPR determines, Article 12 GDPR must be read and complied with in its entirety, including Article 12.3 GDPR. The manner in which a controller grants a request, after all, it always falls within the general obligation to exercise their rights to facilitate the data subjects as provided for in Article 12.2 GDPR, as well as within the complementary obligation in Article 12.1 GDPR to ensure the communications referred to in Article 15 to with 22 GDPR “if appropriate” to be provided by electronic means. Mutatis The foregoing also applies mutandis to Article 15.3 GDPR, which in conjunction with the other paragraphs of Article 15 GDPR must be complied with. Finally, the Disputes Chamber emphasizes that the defendant is in the context of the proceedings has indeed been given and used the opportunity to discuss this matter defenses, as is clear from the conclusions in the rejoinder of the defendant respectively. are response to the sanction form: 19EDPB – Guidelines 01/2022 on Data Subject Rights – Right of Access (v2.0, 28 March 2023), edge nos. 32, 134 and 148 et seq. Decision on the merits 07/2024 - 72/114 “To promote the exercise of the rights of data subjects, Black Tiger Belgium demands There is no proof of identity from the persons involved. As a result, she sends her answers by post to the address of the data subject known to her, which increases the risk of unauthorized 194 disclosure of data in case of identity theft is avoided'. “With regard to the answers, further mail was sent to those involved Black Tiger Belgium already explained that this was necessary to ensure that no there was an unauthorized disclosure of personal data, which testifies to this 195 a high degree of care.” 173. Although it cannot be ruled out that dispatch by post would be more secure then offer an electronic transmission if no proof of identity is requested, the Disputes Chamber is of the opinion that in addition to regular e-mails, there are also other, more secure ones communication channels exist to provide the requested information electronically delivery, in accordance with Article 12.3 GDPR. We also offer shipping by e-mail According to the Disputes Chamber, post no longer necessarily guarantees that the sent information ultimately ends up with the 'right' person involved, since the defendant cannot rule out that the person concerned has moved in the meantime. In a more general sense, the Disputes Chamber that the defendant does not act carefully by not providing proof of identity questions or to check the identity of applicants in advance. The Disputes Chamber determines in this regard that the defendant has not received the (electronic) contact details of the data subjects are already required 196 so that they can exercise their rights exercise on the defendant's web page. All except the telephone number fields required to be completed. Consequently, the Disputes Chamber rules that the defendant has has sufficient information to check whether the e-mail address corresponds to the contact details of the data subject that are already included in the database(s). defendant, prior to further processing of the request. When in doubt If necessary, the defendant could contact the person concerned via the already known contact details in the databases, to ask him/her for confirmation whether the access request is legitimate. By consciously providing answers to requests from data subjects by post the defendant also makes it more difficult for them to follow suit, if deemed desirable to submit an additional request to the first response. The former and current websites do not allow the first answer to be attached as an example to be added to a new request submitted via the online contact form. The foregoing 19Conclusions of the defendant's rejoinder, submitted to the Disputes Chamber on March 7, 2022, p. 25-26 19Response from the defendant to the sanction form dated November 24, 2023, p. 2, (iii). 196 First name, last name, telephone number, email, street name, number, zip code and city of the data subject: https://avg.blacktigerbelgium.tech/uw-rechten/. See also Piece 12 (Screenshots of the Bisnode Belgium website taken by the Inspection Service on March 31, 2021) in the inventory. Decision on the merits 07/2024 - 73/114 was also expressly stated by the complainant during the hearing on February 22, 2023 197 raised and the defendant did so during the same hearing as well as in the context was given the opportunity to object to his response to the official report defend. 174. In short, the reasons given by the defendant for sending answers requests for access via regular mail are not only unconvincing for the Dispute Chamber, but also in violation of Article 12.1 as well as 12.3 GDPR in conjunction with 15.3 GDPR. In addition, the defendant does not act in line with its obligation to exercise to facilitate their rights by data subjects, in accordance with Article 12.2 GDPR. In view of the foregoing, the Disputes Chamber decides that the defendant violates Articles 12.1 and has violated 12.2 GDPR as well as 12.3 in conjunction with 15.3 GDPR by providing answers to the not to send requests for access from the complainants electronically but only by post, which unnecessarily hindered the complainants from exercising their rights. Sources of the personal data 175. With regard to the failure to indicate the precise sources of the personal data of the complainant, the Dispute Chamber notes that the defendant only reports the 198 company ELE T ICKET SERVICE as a data source for the consumer database (CMX). However, during the hearing and in his defenses, the defendant does not provide any explanation for the lack of information about the source of the “statistical data on neighborhood level". 176. According to Article 15.1 GDPR, the data subject has the right to obtain from the controller to obtain clarity about whether or not to process data concerning him. If the latter is the case, the data subject has it right to inspect those personal data and information referred to in Article 15.1.a) to 15.1.h), such as the purpose of the processing of the data as well as the sources and possible recipients of the data. The purpose of the right of access is to enable the data subject to understand how his personal data are processed and what the consequences are as well as the accuracy of the processed data without having to confirm his intention justify 19. 19 Official report of the hearing dated February 23, 2023, p. 5. 198 “The source of your data is Tele Ticket Service, which provided us with the addresses of its customers. Meanwhile, this one collaboration with Tele Ticket Services has been terminated.” in Section 2 (“Response to the request for access dated 13 November 2020 from Bisnode Belgium”) lodged with the defendant's response. 19See decision on the merits 57/2023 of 16 May 2023, edge no. 44 (available on the GBA website). Decision on the merits 07/2024 - 74/114 Since it is not likely that ELE TICKET SERVICE provides (has provided) residential data to the defendant and the defendant has not given any explanation regarding the origin of the “statistical data at neighborhood level”, although the aforementioned data probably come from the National Institute for Statistics, the Disputes Chamber believes it is sufficiently proven that the defendant does not mention all relevant data sources has in his reply to the complainant. In view of the foregoing, the Disputes Chamber therefore decides that the defendant is a has committed an infringement of Article 15.1.g) GDPR by not providing all available information about the immediately communicate the sources of the complainant's personal data. Contact details of the DPO 177. Regarding the lack of DPO contact details in the response as well as the alleged lack of indication of the rights of opposed data erasure, rules the Disputes Chamber that the complainant's grievance was not determined by the Inspection Service well-founded or is not supported by the documents before us. After all, Article 15 GDPR requires this in no way that the contact details of the DPO are stated in the response to a request for access, and it is certain that the aforementioned rights are effectively listed in the response to the complainants' request. Furthermore, the Disputes Chamber notes that the contact details of the DPO are clearly stated at the top of the contact form on the defendant's website, as from the screenshots by the Inspection Service It turns out that the GDPR does not require the controller to provide an e-mail address the DPO shares with the parties involved. The communication of a postal address in combination with contact form to handle requests in a structured manner is sufficient as long as this does not hinder the exercise of their rights by the data subjects. The Disputes Chamber therefore determines that the defendant does not have the GDPR on this point violated. Recipients of the personal data 178. With regard to the precise identification of the recipients to whom the defendant has transferred the has handed over the complainant's personal data, the complainant points out the judgment Austrian Post of the Court of Justice. In this case the Court ruled that controllers are obliged to provide the actual information at the request of data subjects to provide the identity of the recipients to whom data are or will be provided. It is only possible when it is not (yet) possible to identify these recipients 20See edge no. 83 in this decision. Decision on the merits 07/2024 - 75/114 the controller is allowed to limit the information communicated to the relevant categories of recipients 20. 179. In this case, the Disputes Chamber notes that the defendant at the time of the hearing the complainants' requests has limited its response to the categories of receivers. Notwithstanding the requests for access to the present proceedings basis, precede the ruling of the Court of Justice, is the opinion Disputes Chamber that the defendant was obliged to provide the precise identity of the recipients to be communicated to the complainants from the first request for access. It rules in its judgment After all, the CJEU states that the right of access of data subjects is indispensable to enable them to 202 to exercise other rights granted by the GDPR. This explanation proves also from the EDPB's Right of Access Guidelines 20, as well as in the guidelines on transparency, adopted by the Data Protection Working Party in 2017 Article 29 were approved and revised on April 11, 2018 204, well before the defendant received the access requests. It is therefore established that the right of access provided for in Article 15 GDPR contrary to the right to information under Articles 13 and 14 GDPR, yes requires the controller to provide specific information about the processed personal data, with a sufficient degree of accuracy to ensure the to enable the data subject to acquire “informational self-determination” 205and to, where appropriate, to assess the compliance of the practice with the GDPR. It sufficiently transparent and accurate nature of the information provided in the context of a right of access is communicated also contributes to data subjects exercising their rights can more easily exercise this under the GDPR in accordance with Article 12.2 GDPR. By specifically indicating who the recipients are of the personal data held on them data subjects can then exercise their rights directly receivers. Contrary to what the defendant stated in his response to the official report hearing, so there is no retroactive effect of the judgment of 12 January 2023 of the CJEU, since that judgment merely provides interpretation of an obligation that arises directly from Article 15.1.c) GDPR, which was already applicable beforehand. 20CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3), edge nos. 39, 43 and 48. 202 CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3), edge no. 38. 20EDPB – Guidelines 01/2022 on Data Subject Rights – Right of Access (v2.0, 28 March 2023), edge nos. 116-117. 204 Data Protection Working Party Article 29 – Guidelines on transparency in accordance with Regulation (EU) 2016/679 (WP260, rev. 01, April 11, 2018), pp. 43-44: “The (names of the) actual recipients of the personal data, or categories personal data must be provided in accordance with the principle of propriety controllers provide information about the recipients that is most meaningful to the data subjects is. In practice, these will usually be named recipients, so that those involved know exactly who they are has personal data.” 205 See Decision on the merits 15/2021 of February 9, 2021, edge no. 165 (available on the GBA website). Decision on the merits 07/2024 - 76/114 In view of the foregoing, the Disputes Chamber decides that the defendant has committed an infringement committed on Article 15.1.c) GDPR, by not providing all available information about the specific recipients of the complainants' personal data. II.6. Use of cookies on the defendant's websites (Article 4.11), Article 5.1.a) and 5.2, Article 6.1.a), as well as Article 7.1 and 7.3 GDPR) II.6.1. Position of the Inspection Service 180. The Inspection Service has established that the information provided by the defendant about the use of cookies provided to website visitors, in the cookie window at the bottom of the home page of the website https://bisnodeandyou.be, is only available in English. In addition, the two options on the home page of the website are not available a similar way is suggested, and the cookie window disappears after clicking on the language button at the top right of the website homepage. Finally, the defendant provides no explanation to website visitors about how they can withdraw their given consent. 181. With regard to the website https://www.permesso.besteltde Inspectiedienstvastdatde information about the use of cookies is available in both Dutch and French and makes it clear that in addition to essential cookies, other cookies are also placed. In addition, the two options on the home page of the website are not available an equivalent way is proposed, and the Dutch version of it disappears cookie window after clicking the language button. Finally, the defendant provides no explanation to website visitors about how they can subsequently withdraw their given consent. 182. Based on the previous findings, the Inspection Service concludes that the defendant does not obtain legally valid consent within the meaning of Article 4.11) GDPR, and therefore also cannot demonstrate that those involved have given valid consent for the placement of cookies on their devices. II.6.2. Position of the defendant 183. The defendant acknowledges that there were certain shortcomings in its previous cookie policy, but emphasizes that following the publication of the guidelines on the GBA website, in 2020, it was decided to conduct an analysis of the existing cookie practice of the defendant in order to identify and remedy shortcomings. Due to the However, this has faded into the background after several takeovers, according to the defendant, and it was ultimately decided by BLACK T IGERBELGIUM to only use strictly necessary cookies. Decision on the merits 07/2024 - 77/114 II.6.3. Judgment of the Disputes Chamber 184. The Disputes Chamber is solely based on the screenshots of https://bisnodeandyou.be/ resp. https://www.permesso.be/ unable to reach the to determine a violation of the regulations regarding the placement of cookies. After all, with regard to the first website, it can only be deduced that the website is a places a consent cookie (“OptanonConsent”), linked to the domain bisnodeandyou.be, with an expiry period of one year. Therefore, the Disputes Chamber can not decide that this cookie supports an unnecessary function. With respect to the second website also cannot be deduced that the defendant uses unnecessary cookies would post without the prior consent of those involved. The only cookies that the Inspection Service has established are in addition to those already mentioned Optanon also consents to two session cookies (PHPSESSID and wml_browser_redirect_test). This are both functional cookies, linked to the permesso.be website. Furthermore, he stated After its own research, GK has determined that the website https://bisnodeandyou.be/ is no longer accessible, and the website https://www.permesso.be/ has not been accessible since at least July 25, 2021 in use longer. Consequently, the Disputes Chamber decides to uphold the findings of the Inspection Service are related to the placement of cookies on the two aforementioned websites defendant, cannot be restrained. II.7. Accountability of the defendant (Article 5.2, Article 24.1, as well as articles 25.1 and 25.2 GDPR) II.7.1. Position of the Inspection Service 185. In his answer to the Inspection Service's questions, the defendant refers to various data protection initiatives and documents. The Inspection Service emphasizes however, that the defendant has committed, among other things, a violation of Article 5.2, Article 24.1 and Article 25.1 GDPR, as well as with regard to certain articles of the GDPR on the rights of the data subject. The uncompleted and unsigned model agreements to which the defendant refers in his answers 206, according to the Inspection Service does not indicate that these templates are used effectively and systematically. In addition 207 it does not appear from the documents provided by the defendant that they are effective approved by the highest level of management of the defendant, nor that the 20 Pieces 10 to 12 transferred by the defendant to the Inspection Service. 20 Pieces 1 to 38 transferred by the defendant to the Inspection Service. Decision on the merits 07/2024 - 78/114 compliance with the rules and guidelines stated therein is effectively monitored and that infringements are effectively sanctioned. II.7.2. Position of the defendant 186. The defendant argues that the findings by the Inspection Service with regard to the data protection documents are unfounded. Thedefendant argues that during the investigation by the Inspectorate he always provided complete, precise, has provided detailed and completely transparent information to all questions asked, and points out that the shortcomings found are in any case minor and of no consequence appear to be. Furthermore, the defendant regrets that there is no information in the inspection report the more global implementation of the GDPR was taken into account by the defendant to comply with its obligations under the regulation. The fact that he has model agreements and standard documents, according to the defendant just indicates that he has a reasonable level of internal compliance and preparedness implemented in the event of the exercise of their rights by data subjects, or of an investigation or audit by the GBA. The defendant also states that he is in no way “obligated to prove that these templates are actually used, especially since the Inspection Service does not mention any specific cases in which they have not been used the defendant also demonstrates that he does indeed use standard answers to respond to data subject access requests”. 187. The defendant then refutes the Inspection Service's findings effective and systematic use of model agreements, approval of policy documents by the highest levels of management, as well as the lack of proof of the implementation of the control and sanction measures provided for in the event of breaches of internal procedures. The defendant states that there is none there is a legal obligation to prepare a report for each meeting of the board of directors, in which the precise decisions are determined. He also refers to the contradictory statements of the Inspection Service, which on the one hand accuses that standard letters are used, and on the other hand the defendant does not accuse any to use the standard documents submitted. The defendant believes that he nor is it obligatory to prove that the templates transferred are actually used be, especially because the Inspection Service does not mention any concrete cases in which the templates would not have been used. 188. Furthermore, the defendant refers to the fact that BLACK TIGER BELGIUM in no way was involved in the course of the events that the complainants accuse, and himself moreover, very quickly reported to the GBA to make its position known. In addition, the defendant emphasizes once again that the CMX database has now been decided on the merits 07/2024 - 79/114 is removed and the activities of Data Delivery continue three months after the takeover BLACK TIGER have been terminated, and therefore asks the Disputes Chamber to carefully review this to choose an appropriate sanction. In short, the defendant requests the Disputes Chamber for privilege to declare that no sanction is necessary, as the defendant has committed the disputed has permanently terminated processing on his own initiative. The defendant clarifies that BLACK TIGERBELGIUM has exclusively since discontinuing the Data Delivery activities still acts as a processor in the context of the Data Quality services to customers. However, this does not prevent B LACK TIGER B ELGIUM from providing appropriate technical and take organizational measures and maintain necessary documentation, such as incidentally, it was transferred to the Inspectorate during the investigation. In addition, the defendant to the letter from the CEO of LACK TIGER BELGIUM addressed to the GBA, in which the changed strategy as well as the decision to switch to a pure one Data Quality services were explained, but remained unanswered by the Inspection service. II.7.3. Judgment of the Disputes Chamber 189. The Disputes Chamber rules that there can be no doubts:LACK TIGERBELGIUM must be held responsible for the processing activities that took place before the takeover of B ISNODE BELGIUM by BLACK TIGER GROUP and subsequent ones name change. This responsibility, which is separate from the involvement of the 'new' company in the controversial processing activity, is a direct result the transition from BISNODE B ELGIUM to B LACK TIGER B ELGIUM, where the decision-making power over the means and purposes of the processing of personal data was taken over without further ado. Adopting the opposite would be the case imply vacuum with regard to responsibility over transferred personal data, to the detriment of the protection of fundamental rights and freedoms of those involved, especially when the 'acquirer' takes over the processing activities for a certain period after the acquisition. In addition, the Disputes Chamber emphasizes that the company numbers of B ISNODE BELGIUM resp. LACK TIGERBELGIUM are identical. 190. Article 5.2 and Article 24 GDPR impose general accountability obligations and compliance requirements for data controllers. Article 5.2 GDPR states the controller liable for compliance with the general principles regarding their processing of personal data. Pursuant to Article 24 GDPR controllers in particular, taking into account the nature, size, the context and purpose of the processing, appropriate technical and organizational Decision on the merits 07/2024 - 80/114 to take measures to ensure and be able to guarantee the right to data protection demonstrate that the processing is carried out in accordance with the GDPR. 191. In the present case, the Disputes Chamber has now ruled that the defendant could not demonstrate that the disputed data processing complied with the provisions of the GDPR appropriate methods of compliance. The Disputes Chamber has determined that the defendant is unjustified relies on Article 6.1.f) GDPR as the basis for the CMX and Spectron databases in which the personal data of the complainants are also processed. The defendant hereby has has not properly weighed its own interests against those of its customers, on the one hand, the interests as well as the fundamental rights and freedoms of those involved, on the other hand208. Furthermore, the defendant unlawfully disregards his obligation to provide information regarding the data subjects, to the data sources as well as to its customers, as a result of which those involved are not informed in a timely manner of the processing of their data personal data in the context of the commercial services offered by the defendant 209. With regard to the handling of requests by those involved, the Disputes Chamber also concluded that the chosen course of action, and with in particular sending responses to requests for access by post, although the requests can be submitted electronically is not in accordance with the regulations 210 of Article 15 GDPR. In addition, the Disputes Chamber notes that a number of submitted policy documents have not been updated since their last change in 2018, although a series of points an active follow-up of the controller's requirements Disputes Chamber refers in particular to the established storage period of 15 years, for which the controller indicated that he still needed a justification to document. This finding is also supported by the statement “See Data Retention Policy (under review)” in the register of processing activities transferred to the Inspection Service by the defendant 21. Accordingly, the Disputes Chamber considers the infringement of Article 5, Article 24.1, as well as Article 25.1 and 25.2 GDPR proven, with regard to the inability to guarantee nor demonstrate that the processing takes place in accordance with the principles governing data protection laid down in Article 5.1 GDPR and with due respect for the fundamental rights and freedoms of those involved, as laid down in, among others Articles 12, 14 and 15 GDPR. 20See marginal nos. 134 to 141 in this decision. 20See marginal nos. 151 to 162 in this decision. 210 See edge nos. 170 up to and including 173 in this decision. 21Article 1 (“DPIA Bisnode 23 May 2018 - Consu -Spectron-Permesso”) as transferred by the defendant to the Inspection service in the context of the investigation, p. 15 in fine. 212 Loosely translated: “See Data storage policy (currently being revised)” in Piece 30(“BisnodeBelgium - Copy of Record of Processing”) as transferred by the defendant to the Inspection Service in the context of the investigation. Decision on the merits 07/2024 - 81/114 192. The Disputes Chamber, on the other hand, decides to uphold the other findings of the Inspection service regarding the handing over of uncompleted and unsigned documents model agreements, as well as the lack of control and sanction measures in one number of documents, as well as formal approval by top management level of the defendant, should not be taken into consideration. The Inspection Service makes insufficiently plausible that the defendant actually committed an infringement in this regard has committed the provisions of the GDPR related to the accountability of the controller. Finally, these frame findings not within the scope of the initial complaint. II.8. Register of processing activities (Article 30.1, 30.2, and 30.3GDPR) II.8.1. Position of the Inspection Service 193. The defendant considers itself a processor for various processing activities included in its register of processing activities. However, the Inspection Service states: determines that this register does not meet the minimum requirements as the description of the categories of data subjects and categories of personal data is incomplete, the retention periods of the personal data are not stated, a general one description of the technical and organizational security measures (“TOMs”) is missing, and finally the name and contact details of each controller on behalf of whom the defendant acts as processor are not listed in the register. II.8.2. Position of the defendant 194. The defendant states that Article 30.1.c) GDPR does not oblige him in any way to inform the data subjects identified form in its register of processing activities. According to the defendant, it is sufficient to appoint the persons concerned as consumers, customers (clients), employees (staff), etc. Furthermore, Article 30.1.c) GDPR merely obliges provide a description of the categories of personal data processed. The The defendant believes that this is satisfied by, among other things, listing the following categories in the data register: identification data (contact data), social demographic and lifestyle data (socio-demo andlifestyle data) and family typology. The The defendant also disputes that he violated Article 30 of the GDPR because of it merely refer to internal policy documents stating the intended retention periods as well as a description of the technical and organizational measures are. The defendant believes that the register of processing activities mainly is intended for internal use as a supporting document, and must be in accordance with Decision on the merits 07/2024 - 82/114 agree with the operational reality of the controller. Finally the defendant that his activities as a processor are included in the internal register of processing activities are included, but are only accessible “for certain persons”. Since the Inspection Service did not request it, the defendant this information, which is available, is not provided. II.8.3. Judgment of the Disputes Chamber 195. The Disputes Chamber notes that the submitted register of processing activities limited to mentioning the categories of data subjects, without these categories nearing definition. Article 30.1.c)GDPR expressly requires that the register “a description of the categories of data subjects and of the categories of personal data” (own underlining). Since the requirement to obtain the relevant categories to actually describe, also in the English and French translation of the AVG is present 21, so according to the Disputes Chamber there can be no doubt about the scope of this provision. As mentioned earlier in this decision, the differences differ descriptions of the categories of personal data processed by the defendant depending on the policy document referred to 21. However, it is extreme It is important that each controller clearly defines for himself which personal data are processed exactly under his supervision, and this too documents in the register of processing activities, as required under the 215 accountability(article5.2juncto24GDPR) . An appropriate granularity internally register of processing activities is all the more important because the information that controllers under Articles 13 and 14 GDPR must provide to data subjects are limited to the categories of personal data concerned. As soon as However, a data subject exercises his right of access controller in accordance with the guidelines of the EDPB, nevertheless to communicate a complete picture of the processed personal data to the requester, with including the precise personal data concerning him or her that the 216 controller actually processes. Accordingly, the Dispute Chamber the infringement of Article 30.1.c) GDPR by the defendant as proven. 196. With regard to the reference to external policy documents containing the retention periods as well as the technical and organizational measures are described, the Dispute Chamber, in contrast to the Inspection Service, which does not provide such information 21“(c) a description of the categories of data subjects and of the categories of personal data;” and “c) une description des categories of persons concerned and the categories of données à caractère personnel;' 21See edge no. 107 in this decision. 215 Decision on the merits 15/2020 of April 15, 2020, edge no. 142 (available on the GBA website). 21EDPB – Guidelines 01/2022 on Data Subject Rights – Right of Access (v2.0, 28 March 2023), edge no. 115. Decision on the merits 07/2024 - 83/114 must be systematically included in the register of processing activities the different wording of Article 30.1.f) and 30.1.g) GDPR. As long as the register is up refers appropriately to the policy documents containing the aforementioned information can be easily verified, according to the Disputes Chamber there is no such thing infringement of Article 30.1 GDPR. 197. In his conclusions, the defendant takes the position that the Inspection Service could have received a register of processing activities as a processor if he had requested this. From further investigation of the relevant register, the Disputes Chamber, however, notes that it is possible to conduct activities as a processor ("processor") filter under the column “Controller or processor?”. The Disputes Chamber decides accordingly that the defendant uses one central processing register, in which the data processing as controller as well as the processing that the defendant is responsible for processing on behalf of another person, are documented. 198. However, the Disputes Chamber notes that the processing activities that belong to the second category, do not indicate “a) the name and contact details […] of any controller on whose behalf the processor acts, and, in where applicable, from the representative of the controller […] and of the data protection officer;' The infringement of Article 30.2.a) GDPR is so fixed. 199. Finally, the Disputes Chamber rules that no infringement of Article 30.3 GDPR can be retained, solely due to the determination that the register of processing activities does not contain all mandatory information. II.9. Involvement of the DPO (Article 38.1 and Article 39.1GDPR) II.9.1. Position of the Inspection Service 200. Although the role of the DPO is clearly defined and supported in the performance of its duties, the Inspection Service determines that the defendant does not provide any information and/or advice from the DPO on (a) transparent information to data subjects and (b) the has provided a register of processing activities to the Inspection Service, and the defendant therefore does not recognize the involvement of the DPO in the aforementioned subjects has shown. Most of the documents the defendant cites to prove the activities of his DPO do not show how and when the DPO concrete intervention has been made, or what concrete measures the defendant may have taken has taken in response to advice from his DPO. Decision on the merits 07/2024 - 84/114 II.9.2. Position of the defendant 201. The defendant declares that compliance with Articles 38.1 and 39.1 GDPR is demonstrated by the evidence of the commitment and key role played by DPOs since 2018 to play. This includes maintaining GEBs for each of the databases, creating them website of www.bisnodeetvous.be as well as the creation of a process for requests from data subjects to exercise their rights, the revision of the technical and organizational measures and finally the rollout of the GEB process. More generally, it describes the role of the DPO, its duties and its importance within the company demonstrated by the production of two essential documents from the B ISNODE GROUP , which the then B ISNODE BELGIUM mutatis mutandis took over after their departure from the group. The defendant refutes the Inspection Service's finding that he would not have shown that the DPO was indeed, together with other legal advisors within the company, were involved in recording the data to those involved provide information, as well as in the preparation of the register. According to the defendant After all, it is sufficiently clear from the documents sent that the DPO at all levels was, and is, involved in the projects, decisions as well as the daily operations regarding it the processing of personal data. The fact that specific documents do not meet the Inspection service has been provided, according to the defendant, does not prove that the DPO was not present has been involved. The defendant refers in this regard to the lack of questions addressed to the defendant in this regard during the investigation. In addition, the defendant points out that the GDPR nowhere prescribes how a controller can or must demonstrate the involvement of the DPO. The indication of the different functions involved in a project or to a document have contributed, is not only usual, but according to the defendant at least a beginning of evidence, or a reasonable indication of the involvement of the aforementioned functions. II.9.3. Judgment of the Disputes Chamber 202. The Disputes Chamber understands from the documents submitted and the arguments put forward by the defendant that B ISNODEB ELGIUM already before the entry into force of the GDPR has started an extensive implementation process217, as well as that the then DPO and his substitute were involved in drafting related policy documents with the processing of personal data by the controller. In addition, the Disputes Chamber notes that the Inspection Service in the context of 21Document 32 as submitted by the defendant to the Inspection Service in the context of the investigation. Decision on the merits 07/2024 - 85/114 investigation did not ask the defendant any additional questions, in order to obtain evidence of the DPO's involvement in concrete projects. The Disputes Chamber therefore does not have sufficient elements to substantiate this the violation of Articles 38.1 and 39.1 GDPR retained by the Inspection Service. Consequently the Disputes Chamber can investigate the violations of the GDPR regarding the involvement of the DPO. II.10. Additional considerations regarding the inspection report 203. The inspection report lists three circumstances that concern the Inspection Service would play a role in assessing the seriousness of the alleged infringements. i. the defendant processes personal data systematically and on a large scale as core activity; ii. the nature of the infringements found is serious, and the defendant makes his promises not true; iii. the register of processing activities is incomplete and unclear. 204. The defendant believes that these circumstances are wrongly put forward. Firstly, the defendant cannot be blamed for large-scale processes personal data, as long as he complies with the rules on the protection of personal data. In addition, the defendant emphasizes that the size and scope of the processing and not further qualified or characterized in it report from the Inspection Service, which is limited to establishing that the defendant is profiles itself as a specialist in direct marketing. The Disputes Chamber, on the other hand, rules that the determination of a large-scale data processing should not be regarded solely as an aggravating circumstance be taken, but certainly as part of the balancing test between the fundamental rights and freedoms of those involved, on the one hand, and the submitted interests of the defendant and its customers, on the other. 205. Secondly, the defendant argues that the investigation report identifies the infringements as such would confuse with the aggravating circumstances of the same infringements. So would the Inspection Service have not presented any concrete circumstances, apart from the alleged infringement itself, on the basis of which the seriousness of the infringement could be assessed become. With regard to the privacy statements on the website, the defendant disputes the allegations, which are not even proven, that the defendant has the confidence of deliberately wanted to mislead those involved. Decision on the merits 07/2024 - 86/114 The Disputes Chamber has already ruled in the present decision that there is sufficient there are indications that the defendant consciously opted out of the information obligation with regard to the data subjects, mainly with its partners (who process the personal data supply) and its customers (who receive the personal data). The The Disputes Chamber has also come to the decision that such a course of action is not acceptable comply with the requirements of Article 14 GDPR 218. 206. Thirdly, according to the defendant, it cannot reasonably be disputed that he is robust and has put in place adequate internal procedures, policies and rules to to protect personal data, nor whether the defendant has attempted in good faith to comply with the GDPR in both its spirit and its letter. The defendant refers to his choice to discontinue Data Delivery activities on its own initiative — which choice had not yet been published at the time the inspection report was issued — as well as to limit its current activities to data analysis and services that do not role as a data broker. This reorientation would, according to the defendant, be a must play a decisive role in assessing the seriousness of the alleged infringements as well as the good faith of the defendant. The Disputes Chamber will consider the fact that the defendant decided after the takeover to number of services to be discontinued, to be taken into account in the context of the the following determination of sanctions and corrective measures. 207. Fourth, the defendant claims that he, even without knowledge of the investigation reports made several attempts before it was released on May 20, 2021 to contact the Inspector General and the then chairman of the GBA, in order to inform them of this important adjustment to the business activities, and to enter into a constructive dialogue with him such as the defendant had also done the same with the CNIL in France. The defendant believes that he However, it was not possible to obtain a meeting with the GBA. In this regard, the Dispute Chamber reminds that a party during an ongoing investigation cannot in principle demand to be heard, given the specific nature of the investigation 219 powers granted to the Inspection Service. The Marktenhof has in its own right judgment of March 1, 2023 also ruled that the GBA is the supervisory authority pursuant to Article 52 GDPR is completely independent in the performance of the tasks and 220 powers assigned to it in accordance with the GDPR. 21See edge no. 166 in this decision 219 See point 4.1.e of the Charter of the Inspection Service available on the GBA website: https://www.gegevensbeschermingsautoriteit.be/publications/charter-van-de-onderzoekdienst.pdf. 22Court of Appeal Brussels (Markten Court section), X t. GBA, Judgment 2022/AR/1085 of March 1, 2023, p 7. Decision on the merits 07/2024 - 87/114 III.Sanctions and corrective measures III.1. Established infringements 208. The Disputes Chamber is of the opinion that the present case is serious violations of the fundamental rights of those involved. The Disputes Chamber will judge furthermore, that these violations must be classified separately conduct 22. More specifically, the Disputes Chamber finds violations of the following provisions of the GDPR, relating to three different ones, set out below conduct of the controller: i. Infringement of Article 5 GDPR; Article 6 GDPR; Article 12 GDPR; Article 14 GDPR; article 24 GDPR and Article 25 GDPR — The Disputes Chamber rules that the defendant op indirectly, on a large scale and for a period of at least 15 years collected personal data of data subjects, without providing a individual information to those involved by the defendant nevertheless had contact details for both Data Delivery and Data Quality services. The processing involved or are going to be with these services after all, contrary to Article 5.1 GDPR, and more specifically the principle of legality, propriety and transparency (5.1.a) GDPR), the principle of minimum data processing (5.1.c) GDPR) and the principle of storage limitation (5.1.e) GDPR). By opting for an indirect one due to serious negligence provision of information to those involved, either 'upstream' by the data sources of the defendant, either 'downstream' by the customers of the defendant when meeting the persons involved for the first time communicate, the defendant also violates his obligation to provide information, such as laid down in Articles 14.1 and 14.2 GDPR, read in conjunction with Article 12.1 GDPR. For the processing of personal data without proactive the defendant is therefore unable to provide information to those involved legitimately rely on its legitimate interests or those of its customers (6.1.f) GDPR), as these interests do not outweigh the interests and fundamental rights of data subjects, and the data processing activities that support these interests are not fall within the reasonable expectations of those involved. Also has the defendant violated Article 25 GDPR due to the lack of appropriate technical and organizational measures to ensure compliance with the 221 “Conducts” in the EDPB –Guidelines 04/2022 on the calculation of administrative fines under theGDPR (v2.0, May 24, 2023). Decision on the merits 07/2024 - 88/114 data protection principles, and in particular the principles of minimum data processing and storage limitation, in an effective manner guarantees. Finally, because the defendant does not provide sufficient evidence — such as however required under the accountability obligations imposed on each controller rests — that the processing of data of those involved in the context of the aforementioned services in accordance with data protection principles and with respect for the fundamental rights and freedoms of those involved the defendant also committed an infringement of Article 5.2 GDPR, read in connection with Article 24.1 GDPR. ii. Infringement of Article 12 GDPR as well as Article 15 GDPR — The Disputes Chamber decides that the defendant improperly processed the complainants' requests for access has handled, in violation of the obligation to protect the rights of data subjects facilitating and the requirement to provide full access and information to those involved regarding the processing of their personal data. The defendant has opted for his written answers to the complainants' requests for access by post instead of in a conventional manner electronic form, which constitutes a violation of Article 12.1 and 12.2 GDPR as well as Article 12.3 in conjunction with 15.3 GDPR. In addition, the defendant has failed to identify the source of the statistical information regarding the complainants mention in the answers to their requests for access, with the result that the defendant has also violated Article 15.1.g) GDPR. Finally, it is certain that the defendant has committed an infringement of article due to serious negligence 15.1.c) GDPR, read in light of the guidelines of the Article 29 Working Group and the EDPB as well as the case law of the Court of Justice in its judgment C-154/21, by only communicating the categories of recipients in the reply to the complainants, although the respondent was able to identify the specific recipients 222 identify . iii. Infringement of Article 30GDPR—The defendant has finally failed to do so indication of the categories of data subjects and of those processed personal data also include a description of these categories register of processing activities, as prescribed in Article 30.1.c)GDPR.The defendant has also violated Article 30.2.a)GDPR by to be included in the centralized processing register, in which the processing activities as a controller as well as in the capacity of processor is documented, the identity of 222 CJEU, January 12, 2023, C-154/21, RW v. Austrian Post (ECLI:EU:C:2023:3). Decision on the merits 07/2024 - 89/114 data controllers for whom the defendant is considered processor acts. 209. Pursuant to Article 100 of the WOG, the Disputes Chamber has the authority to: “1° to dismiss a complaint; 2° to order the dismissal of prosecution; 3° order a suspension of the ruling; 4° to propose a settlement; 5° formulate warnings and reprimands; 6° order that the data subject's requests to exercise his rights be complied with; 7° to order that the person concerned is informed of the security problem; 8° order that processing be temporarily or permanently frozen, restricted or prohibited; 9° to order that the processing be brought into compliance; 10° the rectification, restriction or deletion of data and its notification to the to order recipients of the data; 11° order the withdrawal of the recognition of certification bodies; 12° to impose penalty payments; 13° to impose administrative fines; 14° the suspension of cross-border data flows to another State or a international institution; 15° to transfer the file to the public prosecutor's office in Brussels, who will file it in informs you of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.” III.2. Measures imposed by the Disputes Chamber III.2.1. Corrective measures to bring the processing into compliance with the GDPR 210. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 8° and 9° WOG, the Disputes Chamber issues an order to the defendant for the violation of Article 5.1 GDPR, Article 6.1 GDPR, Article 12.1 GDPR, as well as Articles 14.1 and 14.2 GDPR, in the context of B2B Data Quality services to be terminated and kept terminated until processing commences is brought into line with the GDPR. The defendant can comply with this by processing personal data in the Spectron database, before the persons involved from whom the defendant has access has contact details to proactively and individually inform you of the processing Decision on the merits 07/2024 - 90/114 of their personal data by the defendant. The defendant must also: those involved for a period of 3 months from the provision of information to provide the opportunity to object to the objection in a simple and effective manner processing their personal data before resuming processing. As for the other categories of data subjects of which the defendant does not contact details in its possession, the Disputes Chamber will decide to suspend the processing of their to permanently ban personal data, in the absence of a lawful right processing ground. Considering the fact that the defendant already had the CMX (incl. Permesso) database on July 30, 2021 destroyed, the B2C Data Quality services are therefore no longer available since that date is offered, and the B2C Data Delivery service since October 30, 2021 223 has been completely stopped, the Disputes Chamber does not consider it necessary in the present case to order the defendant to stop data processing in connection with the to bring the aforementioned services into compliance with the GDPR 224. 211. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1.9° WOG, the Disputes Chamber lays down the orders the defendant to commit the violation of articles 5.1 and 5.2 GDPR, article 24.1 GDPR, as well as Articles 25.1 and 25.2 GDPR, by appropriate technical and to take organizational measures to ensure that the retention period of the data — which the defendant may only process further on the condition that the previous order has been complied with — is proportionate to the purposes of the processing, and so that the defendant, in the context of its current Data Quality services, only maintains the most up-to-date data of data subjects, as required by the principle of minimal data processing. In addition, the Disputes Chamber orders the defendant to submit the current documentation in connection with the processing of data and compliance with the GDPR or adapt it to take account of actual circumstances in which the defendant processes personal data and thus accountability which rests with the defendant. 212. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1.9° WOG, the Disputes Chamber lays down the orders the defendant to comply with the violation of Articles 30.1 and 30.2 GDPR remedy by supplementing the register of processing activities with a clear description of the categories of personal data and data subjects, as well as by all controllers for whom the defendant acts as processor intends to act, to be mentioned by name. 22Response from the defendant to the sanction form dated November 24, 2023, p. 3, (ii), (iii) and (iv) a. 22Response from the defendant to the sanction form dated November 24, 2023, p. 3, (iv) d. Decision on the merits 07/2024 - 91/114 213. Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the Disputes Chamber lays the order to the defendant within a period of three months after notification of the decision the proof of the achievement of the aforementioned compliance measures to be submitted to the Disputes Chamber. III.2.2. Administrative fines 214. In addition to the corrective measure to bring the processing into compliance with Articles 5, 6, 12, 14, 15, 24, 25 and 30 GDPR, the Disputes Chamber also decides to impose of administrative fines that do not serve to correct a violation end, but are imposed with a view to vigorous enforcement of the rules of the GDPR. As is clear from recital 148 GDPR 22, the GDPR states first and foremost that in the case of every serious infringement - including the first detection of an infringement - penalties, including administrative fines, in addition to or instead of appropriate ones measures are imposed. In the same sense, the CJEU recently confirmed 226that “the principles, prohibitions and obligations set out in the GDPR are specifically addressed are among the 'controllers' who - as stated in Recital 74 of the GDPR emphasized — be responsible for any processing carried out by them or on their behalf of personal data and therefore not only appropriate and effective measures must take, but must also be able to demonstrate that their processing activities comply with the GDPR, which means, among other things, that the measures are effective to ensure that compliance. When an in Article 83, paragraphs 4 to 6, of this Regulation, the infringement referred to has been committed, this constitutes responsibility is the basis for an administrative decision in accordance with Article 83 impose a fine on the controller”. 215. As regards the administrative fine that may be imposed under Article 83 of the GDPR and Articles 100, 13° and 101 WOG, Article 83.1 and 83.2 GDPR stipulates: “1. Each supervisory authority shall ensure that the administrative fines imposed imposed under this article for the infringements referred to in paragraphs 4, 5 and 6 this Regulation shall be effective, proportionate and dissuasive in each case. 225Recital 148 GDPR states: “In order to ensure stronger enforcement of the rules of this Regulation, penalties, including administrative fines, to be imposed for any infringement of the Regulation, in addition to or in instead of appropriate measures imposed by the supervisory authorities under this Regulation. If it concerns a minor infringement or if the expected fine would impose a disproportionate burden on one natural person, a reprimand can be chosen instead of a fine. However, this must be taken into account taken into account the nature, seriousness and duration of the infringement, the intentional nature of the infringement, with damage mitigation measures, with the degree of responsibility, or with previous relevant infringements, with the manner upon which the infringer has come to the notice of the supervisory authority, with compliance with the measures taken taken against the controller or the processor, with the connection with a code of conduct and other others aggravating or mitigating factors. The imposition of penalties, including administrative fines, must are subject to appropriate procedural guarantees in accordance with the general principles of Union law and Charter, including effective judicial remedy and fair administration of justice” (own underlining). 226 CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 38. Decision on the merits 07/2024 - 92/114 2. Administrative fines will be imposed, depending on the circumstances of the specific case case, imposed in addition to or instead of those referred to in Article 58(2)(a) to (h) and (j) measures referred to. When deciding whether to impose an administrative fine imposed and the amount thereof will be duly taken into account in each specific case taking into account the following: a) the nature, severity and duration of the infringement, taking into account its nature, extent or the purpose of the processing in question as well as the number of data subjects affected and the extent of the damage they suffered; b) the intentional or negligent nature of the infringement; (c) the measures taken by the controller or processor to ensure the limit damage suffered by those involved; d) the extent to which the controller or processor is responsible given the technical and organizational measures he has implemented in accordance with Articles 25 and 32; e) previous relevant infringements by the controller or processor; f) the extent of cooperation with the supervisory authority to resolve the infringement remedy and limit the possible negative consequences thereof; g) the categories of personal data affected by the breach; h)the manner in which the supervisory authority became aware of the infringement, with name whether, and if so to what extent, the controller or processor committed the infringement has reported; (i) compliance with the measures referred to in Article 58(2), to the extent that they have been implemented earlier with regard to the controller or processor in question with regard to the same matter have been taken; j) adherence to approved codes of conduct in accordance with Article 40 or of approved certification mechanisms in accordance with Article 42; and k) any other aggravating or mitigating factor, such as financial gains made, or losses avoided, whether or not arise directly from the infringement” 216. The Disputes Chamber points to the guidelines regarding the calculation of administrative costs fines 227which the EDPB adopted on May 24, 2023 after a public consultation, and that the Disputes Chamber takes into account when determining the fine amounts the case at hand. 217. It is important to place the defendant's shortcomings in context in order to determine the to determine the most appropriate sanction. The Disputes Chamber will take this into account 227EDPB — Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.1, May 24, 2023). Decision on the merits 07/2024 - 93/114 with all relevant circumstances of the case, including - within the limits they indicates below — of the defendant's response to the proposed sanctions imposed on him were communicated by means of the sanction form 22. 218. The Disputes Chamber would also like to point out that it is its sovereign responsibility as is an independent administrative authority — subject to the relevant Articles of the GDPR and the WOG — to determine the appropriate corrective measure(s) and sanction(s). set. This follows from Article 83 of the GDPR itself, but the Market Court has also stated this case law establishes the existence of a broad discretionary power of the Disputes Chamber emphasizes regarding the choice of the sanction and its scope, including its 229 judgments of July 7, 2021, September 6, 2023 respectively. December 20, 2023 . 219. Below, the Disputes Chamber shows that the main infringements committed by the defendant committed violations that are by no means minor. The fact that it is a first determination of an infringement of the GDPR committed by the defendant, does so in no way prejudices the possibility for the Disputes Chamber to resolve a to impose an administrative fine in application of Article 58.2.i) GDPR. The instrument of an administrative fine is by no means solely intended to end infringements; GDPR and the WOG provide for a number of corrective measures, including: orders referred to in article 100, § 1, 8° and 9° WOG. 220. In the following marginal numbers, the Disputes Chamber motivates the imposition of a administrative fine in concrete terms, for each of the three distinguished above conduct of the defendant, taking into account Article 83 GDPR and case law vanhet Marktenhof 230, as well as with the criteria laid down in the guidelines of the EDPB on the calculation of administrative fines 23. III.2.2.1. Annual turnover of the controller 221. For the purpose of imposing fines that are effective, proportionate and dissuasive the supervisory authorities should change the definition of the term “undertaking”. as established by the Court of Justice of the European Union for the application of Articles 101 and 102 TFEU, namely that the concept of undertaking becomes understood as an economic entity created by the parent company and all involved subsidiaries can be formed. In accordance with EU law and the case law, an undertaking must therefore be seen as an economic entity 228 Sanction form dated October 31, 2023; Response from the defendant to the sanction form dated November 24, 2023. 22Court of Appeal Brussels (Markten Court section), Xt. GBA, Judgment 2021/AR/320 of 7 July 2021, p.37-47; Court of Appeal Brussels (section Marktenhof), Marktenhof), X t. GBA, Judgment 2023/AR/817 (2023/8986) of 20 December 2023, edge nos. 61 et seq. 230 Brussels Court of Appeal (Markten Court section), X t. GBA, Judgment 2020/1471 of February 19, 2020. 23EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023). Decision on the merits 07/2024 - 94/114 that carries out commercial/economic activities, regardless of its legal form 23. After all, according to the case law of the ECJ, there is a rebuttable presumption that this is the case parent company actually exercises decisive influence on the behavior of a subsidiary of which it holds 100% of the capital 23. 222. Furthermore, Articles 83.4 and 83.6 GDPR prescribe that the total worldwide annual turnover of the previous fiscal year must be used for the calculation of administrative fine, partly to prevent the fine from having a disproportionately heavy impact on the defendant. In this regard, the term “prior” is in accordance with the case law of the CJEU in competition law must be interpreted, so that the relevant event for the calculation is the fine decision of the 234 supervisory authority, and not the time of the sanctioned violation. 223. When the Disputes Chamber relies on the powers it has under Article 58.2 GDPR, decides to indict the defendant - who is currently part of B LACK TIGER G ROUP 235 within the meaning of Articles 101 and 102 TFEU — an administrative fine in accordance with Article 83 GDPR, the Disputes Chamber must therefore act accordingly the latter provision, read in the light of recital 150 GDPR, in the calculation of the administrative fines due to the offenses referred to in Articles 83.4 to 83.6 of the GDPR base infringements on the concept of “undertaking” within the meaning of Articles 101 and 102 236 TFEU . 224. In accordance with the foregoing, the Disputes Chamber therefore rules that can base on the consolidated turnover figures of the 2022 financial year of B LACK TIGER BELGIUM as well as of the parent company [the parent company Z1] (B LACK TIGER G ROUP ) — now “[the parent company Z2]” — or […] for determining the amount of the administrative fine that it intends to impose on the defendant. The Disputes Chamber refers to: - the report with registration number […], as filed with the Registry of Commercial Court of Paris on […], which shows that [the 23Recital 150 of the GDPR; EDPB – Guidelines on the application and setting of administrative fines the meaning of the GDPR (WP 253), p. 6-7. The definition in the case law of the European Court of Justice is: “the concept enterprise includes any entity that carries out an economic activity, regardless of its legal form and the manner in which it is carried out is financed' (CJEU, C-41/90, Höfneren Elser v Macrotron, (ECLI:EU:C:1991:161, paragraph 21). Under the concept of undertaking “must be understood as an economic unit, even if this economic unit is formed from a legal point of view by different natural or legal persons” (CJEU, C-217/05, Confederación Española de Empresarios de Estaciones de Servicio, ECLI:EU:C:2006:784, paragraph 40). 23CJEU, September 10, 2009, C-97/08 P, Akzo Nobel nv et al. t. Commission, ECLI:EU:C:2009:536), marginal nos. 60-61. 234 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 131. See alsoCJEU, 5 December 2023, C-807/21, Deutsche Wohnen SE v. StaatsanwaltschaftBerlin (ECLI:EU:C:2023:950), edge nos. 55 up to and including 58. 23See edge no. 37 in this decision. 236 CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 59. Decision on the merits 07/2024 - 95/114 parent company] — now “[the parent company Z2]” — 100% of 237 owns the capital of BLACK T IGERBELGIUM; - the annual accounts of B LACK T IGERB ELGIUM as filed with the National Bank of Belgium (NBB) on June 19, 2023, from which a report for the 2022 financial year turnover appears to be […]; and - the annual accounts of [the parent company Z1] — now “[de parent company Z2]” — as filed with the Registry of the Court van Koophandel in Paris 23, which shows turnover for the 2022 financial year by […]. 225. The Disputes Chamber specifies in this regard that at the time of sending the sanction form dated October 31, 2023 did not yet have the turnover figures for the year 2022 and therefore had to take the turnover figures of 2021 into account. Since the turnover of [the parent company Z1] — of which public since November 16, 2023 it is known that the name was changed to “[the parent company Z2]”, which is the defendant has also not mentioned in his response to the sanction form — for the year 2022 has increased slightly compared to 2021, the Disputes Chamber will reduce its administrative calculate fines based on the most recent available turnover figures. Since the defendant has failed to provide the turnover figures as stated in the 239 if necessary, refute the sanction form on the basis of more recent annual accounts, the Disputes Chamber assumes that there are no other turnover figures available than these which it takes into account in the present decision. III.2.2.2. First conduct — Unlawful and unfair processing of personal data, without the data subjects being proactive, individual and op transparent manner, and lack of guarantees for compliance with the core principles of the GDPR Categorization in the abstract of the violation under Article 83.4 to 83.6 GDPR 226. The Disputes Chamber has already decided that the defendant is a has infringed Article 5 GDPR; Article 6 GDPR; Article 12 GDPR; Article 14 GDPR; as well as Article 24 GDPR and Article 25 GDPR. The Disputes Chamber rules that the first conduct is characterized by a single act of several violations, 23Cf. Annex III. 238 https://commandes.greffe-tc-paris.fr/fr/societe/[...]. 239Sanction form dated October 31, 2023, p. 10; Response from the defendant to the sanction form dated November 24, 2023, p. 3-4. Decision on the merits 07/2024 - 96/114 that arise from a uniform will and are so closely related both spatially and temporally are connected, that they must be regarded as one coherent act. 227. After all, due to the conscious choice not to proactively or individually inform those involved inform them about the indirect collection of their personal data from third parties, as well as on the subsequent processing of their personal data in the context of commercial services, for a period of 15 years and in violation of the core principles of data minimization and storage limitation, the defendant can cannot legally rely on his or her legitimate interests data sources or customers, as a basis for data processing. 228. For a violation of the basic principles of processing in accordance with Article 5 and 6GDPR, as well as the rights of the data subject in accordance with Articles 12 and 14GDPR, the Disputes Chamber may order an administrative impose a fine of up to EUR 20,000,000 or, for a company, up to 4% of the total worldwide annual turnover in the previous financial year, whichever is higher. A violation of the aforementioned provisions therefore gives rise to, in accordance with Article 83.5 GDPR the highest fines. Seriousness of the violations in the case at hand 229. In accordance with the guidelines of the EDPB and the GDPR, the supervisory authorities should authorities to take due account of the nature, severity and duration of the violation, taking into account the nature, extent or purpose of the violation in question data processing, as well as the number of data subjects affected and the extent of the damage suffered by them (Article 83.2.a) GDPR); the intentional or negligent nature of the infringement (Article 83.2.b) GDPR); and the categories of personal data to which the infringement relates (Article 83.2.g) GDPR). 230. Nature, seriousness and duration of the infringement (Article 83.2.a) GDPR) — Regarding the seriousness of the violation, the Disputes Chamber notes that the principles of legality (Article 5.1.a) and Article 6 GDPR) and transparency (Articles 12 and 14 GDPR) fundamental are the principles of protection guaranteed by the GDPR. The provisions laid down in Article 5.2 GDPR and further elaborated in Article 24 GDPR accountability principle is also central to the GDPR and reflects the paradigm shift that the GDPR brings about, namely a shift from a arrangement that is based on prior declarations and authorizations by the supervisory authority towards greater accountability and responsibility of the controller. Compliance with its decision on the merits 07/2024 - 97/114 obligations by the controller and its ability to fulfill them have therefore only become more important. A valid legal basis and transparent information are among the core elements of the fundamental right to data protection. After all, the principle of transparency constitutes the “gateway” that strengthens data subjects' control over their data and enables the exercise of other rights granted by the GDPR to data subjects grants, such as the right to object and the right to have data erased. Breaches of the certain principles therefore constitute serious infringements, which are the highest administrative fines provided for in the GDPR may be punished. The controversial processing in the context of Data Delivery and Data Quality services that form the basis of the present decision were resp. are still part of the defendant's core activities, which means that the The Dispute Chamber is forced to give more weight to violations of the GDPR arising from these core activities. The defendant has also acknowledged in policy documents that the processing of personal data could have negative consequences for the data subjects, such as annoyance, irritation or stress, but also the feeling that they had to change their lifestyle adjust if they agree to any processing of their personal data by the defendant and its customers wanted to prevent 24. The Disputes Chamber also emphasized that the controversial processing activities could potentially lead to invisible discrimination on the basis of the profiling data compiled by the defendant 24. Regarding the scope of processing, the EDPB guidelines for data protection impact assessments are recommended to include in addition to the number of data subjects also the volume of data, the duration or the permanent nature of the data processing, as well as the geographical scope of the processing to determine whether personal data are processed on a large scale 24. In this regard the Disputes Chamber first establishes that the defendant's activities Belgian market. The fact that the defendant is a significant market player and that in addition, the disputed processing activities related to two different ones markets (B2C and B2B), the Disputes Chamber comes to the conclusion that in this case it is indeed the case there is a large-scale processing of personal data. As regards the duration of the infringement, the Disputes Chamber notes that the defendant, after the takeover of BISNODE B ELGIUM, has decided to 24See edge no. 129 in this decision. 241 See edge nos. 129-133 in this decision. 24 Working Party on Data Protection Article 29 – Guidelines on data protection impact assessments and determination whether a processing ''is likely to involve a high risk'' within the meaning of Regulation 2016/679 (WP248, rev01, October 4 2017), p. 12. Decision on the merits 07/2024 - 98/114 to stop processing activities associated with Data Delivery. This However, this does not prevent the personal data from being processed prior to the takeover of B ISNODE BELGIUM by B LACK T IGER has been non-transparent for a long time were processed unlawfully, and that the defendant remains responsible for the processing of the acquired B ISNODE BELGIUM, including the processing activities that, due to contractual agreements, also occur after the official date of discontinuation remained intact. Also taking into account the established retention period of 15 years and the fact that the defendant is still publicly announcing his website 244 states that the company “has been active in the Belgian and Belgian markets since the early 1970s.” European market” and “has built up more than 30 years of expertise in data quality and data management” when it was part of “several international groups ([…]en Bisnode), before becoming part of the Black Tiger group,” the Disputes Chamber concludes that the disputed processing took place for at least 15 years, until 245 by July 30, 2021 . 231. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) — The Dispute Chamber recalls that “intent” usually involves both knowledge and willfulness regarding the includes characteristics of a criminal offense, while “unintentional” means that there is no intent was to cause the infringement, although the controller or the 246 processor has violated the duty of care prescribed by law. There are others words two cumulative elements required for an infringement to be deemed intentional consider, i.e., the knowledge of the violation and the intentionality with regard to it 247 act . As to whether or not the infringement was intentional or negligent committed by a controller, the CJEU stated in its recent judgment clarifies that a supervisory authority under Article 83 GDPR a administrative fine due to the infringement referred to in Articles 83.4 to 83.6 GDPR can impose, if it has been demonstrated that the controller has committed this infringement committed intentionally or negligently. To impose such a fine 248 The condition therefore applies that the infringement in question was committed culpably. With regard to the intentionality component, the Dispute Chamber also reminds this that the CJEU has set a high threshold for an act to be considered intentional 24See also edge no. 114 in this decision. 244 https://www.blacktigerbelgium.tech/wie-zijn-wij/?lang=nl, accessed December 15, 2023. 24On this date, according to the defendant, the CMX database was destroyed. 246 Working Party on Data ProtectionArticle 29 – Guidelines for the Application of Administrative Fines within the meaning of Regulation (EU) 2016/679 (WP253, October 3, 2017), p. 12. 24See also EDPB – Binding Decision1/2023 on thedispute submitted by the IE SA on datatransfers byMeta Platforms Ireland Ltd (Facebook), edge no. 103, available at https://edpb.europa.eu/system/files/2023- 05/edpb_bindingdecision_202301_ie_sa_facebooktransfers_en.pdf. 248 CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 75. Decision on the merits 07/2024 - 99/114 consider. For example, the CJEU has ruled in criminal cases that there is “serious negligence” rather than “intention” when “the person liable is a qualified commits a violation of his duty of care that he should and could have observed take into account his capacity, his knowledge, his skills and his individual situation”49. Even if it is a company whose processing is carried out personal data is the core of the business activities, expect it to be sufficient takes measures to protect personal data and that it has its obligations in this thoroughly recognized, does not show such a qualified violation necessarily indicates that there is an intentional violation250. In other words, this means that a controller can also become punished with an administrative fine under Article 83 GDPR for a conduct falling within the scope of this Regulation, where it controller could not have been unaware of the fact that his conduct constituted an infringement, regardless of whether he was aware that he was violating the provisions of the GDPR violated 251. In this case, the Dispute Chamber notes that B ISNODE POLAND was in 2019 by the Polish 252 Data protection authority was fined for a breach of the information obligation. There is therefore no doubt that the defendant was aware of that decision but did not consider it necessary to subsequently provide information to Belgian data subjects who the defendant indirectly collected the personal data, on a (more) proactively. Although the Disputes Chamber cannot with certainty can establish that the defendant has deliberately violated Article 14 GDPR, for his part However, the Dispute Chamber has sufficient indications that there is evidence in this regard, in particular the nature of the disputed processing activities, there is the highest degree of negligence on the part of the defendant, who consciously chose not to fulfill his obligation to provide information pursuant to Article 14 GDPR mainly to third parties. The foregoing means that there is no infringement of the processing basis is of an intentional nature, because the defendant has indeed made an extensive analysis has to determine which legal basis would be the most appropriate in the present case. Er there is therefore no - apparent - intention on the part of the defendant to fully comply with the GDPR 24CJEU, 3 June 2008, C-308/06, Intertanko and others (ECLI:EU:C:2008:312), edge no. 77 250 See also EDPB – Binding Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR, July 28, 2022, edge no. 204. 25CJEU, December 5, 2023, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin (ECLI:EU:C:2023:950), edge no. 76. See alsoCJEU, 18 June 2013, C‑681/11, Schenker& Co. and others (ECLI:EU:C:2013:404), edge no. 37;CJEU, March 25, 2021, Lundbeck v. Commission, C‑591/16 P (ECLI:EU:C:2021:243), marginal no. 156; and CJEU 25 March 2021, C‑601/16 P, Arrow Group and Arrow Generics t. Commission (ECLI:EU:C:2021:244), marginal no. 97. 25See edge no. 161 in this decision. Decision on the merits 07/2024 - 100/114 knowledge of the facts and intentionally violate it through an inappropriate processing basis to be used, but at least there is serious negligence. 232. Categories of personal data affected by the breach (Article 83.2.g) GDPR) — As established earlier in this decision, the disputed processing is wrong the contact details of those involved and also on data with which those involved could be segmented for direct marketing-related purposes. The nature of the personal data processed therefore includes different categories, including financial information (average income), housing, family composition, as well as socio-demographic and lifestyle data such as the social class of those involved belong. Although such personal data are prima facie not of a sensitive or special nature, the Disputes Chamber rules that they nevertheless belong to categories of personal data of such a nature that they may affect the privacy of those involved and which those involved would generally not reasonably expect collected indirectly from and subsequently processed by third parties. Categorization in concrete terms of the seriousness of the violations and determination of the correct starting amount 233. Based on the evaluation of the criteria set out above, the infringement is deemed of low, medium or high severity. These categories do not detract from ask whether or not a fine can be imposed. ▪ When calculating the administrative fine for minor infringements severity, the supervisory authority will set the basic amount for further calculation set at an amount between 0 and 10% of the applicable legal amount maximum. ▪ When calculating the administrative fine for infringements of medium severity, the supervisory authority will determine the starting amount further calculation determine an amount between 10 and 20% of the applicable legal maximum. ▪ When calculating the administrative fine for infringements with a high severity level, the supervisory authority will determine the starting amount for further set the calculation at an amount between 20 and 100% of the applicable amount 253 legal maximum . 253 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 60. Decision on the merits 07/2024 - 101/114 234. In this case, the Disputes Chamber rules that the violations of legality, propriety and transparency principles (Article 5.1.a) GDPR), as well as the accountability principle (Article 5.2 GDPR), in combination with the violations of the obligation to provide information regarding the those involved (Article 12 in conjunction with 14 GDPR), are of high seriousness. The Dispute Chamber serves therefore for the violations related to the first conduct (falling under Article 83.5 GDPR, with a high degree of severity) a theoretical starting amount for the further calculation of the administrative fine to be used between EUR 4,000,000 and EUR 20,000,000. 235. Based on the previous assessment of the circumstances in the light of Article 83.2.a), b) eng) GDPR25, the Disputes Chamber decides to set a theoretical starting amount of EUR 10,000,000 to be taken into account. 236. Taking into account the minimum and maximum amounts set in the directives per level, on the one hand, and the relevant annual turnover of the controller, on the other hand, the Dispute Chamber decides in concrete terms to set the final starting amount for the first category of infringements (falling under Article 83.5 GDPR, with a high degree of severity). reduce to an adjusted starting amount of EUR 185,000 EUR 255. Aggravating and mitigating factors 237. After assessing the nature and severity of the infringement, as well as the intentional or negligent nature of the infringement and the categories of personal data involved, the supervisory authority shall also take into account the remaining aggravating and mitigating factors, as listed under Article 83.2 GDPR. 238. Measures taken to limit the damage suffered by those involved (Article 83.2.c) GDPR) — The Disputes Chamber takes into account the efforts made by the defendant has provided to ensure transparency towards those involved by means of web pages as well as the mandatory indication of identity from B ISNODE BELGIUM , now LACK TIGERB ELGIUM, at the bottom of the direct marketing communications that the data subjects receive from the defendant's customers. The Disputes Chamber also takes the initiative of the defendant into account acquisition of B ISNODE BELGIUM to discontinue the Data Delivery activities and the CMX to destroy the database prior to the substantive treatment by the Dispute room 25. 25See marginal nos. 230 up to and including 232 in this decision. 255 EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 65. 25Response from the defendant to the sanction form dated November 24, 2023, p. 1, (i). Decision on the merits 07/2024 - 102/114 239. Extent to which the defendant is responsible in view of the technical and organizational aspects measures it has implemented in accordance with Articles 25 and 32 GDPR (Article 83.2.d) GDPR) — In the context of the substantive proceedings, and in particular during the hearing of 22 February 2023, the defendant has always taken the position that the provision of information by the recipients of the personal data, being the customers of B LACK T IGER B ELGIUM, was sufficient to meet the information and to meet transparency obligations. It is also established that B LACK TIGER BELGIUM after the takeover bears full responsibility for establishing an appropriate retention period for the processed personal data, as well as compliance with the basic principles of the GDPR in the context of continued data processing. To For these reasons, the Disputes Chamber considers it proven that B LACK T IGER BELGIUM can be held responsible for the further processing of personal data of those involved, including the complainants, after the takeover of BISNODE BELGIUM. In view of the documents submitted as well as the defenses submitted, the However, the Disputes Chamber is not sufficiently convinced that the defendant has appropriate technical and organizational measures, notwithstanding that he has sufficient had the means and influence to do so to ensure compliance with the basic principles of the GDPR — such as the principles of storage limitation and data minimization — too guarantees. 240. Previous relevant breaches by the controller or processor (Article 83.2.e) GDPR) — Although the facts in the present case are very similar exhibit with the circumstances in the decision regarding B ISNODE POLAND of the Polish Supervisory Authority, the Disputes Chamber shall, however, take it into account given that B ISNODE BELGIUM, now LACK TIGERB ELGIUM, was declared not guilty of previous violations of the GDPR. 241. The extent to which there was cooperation with the supervisory authority to investigate the infringement remedy and limit its possible negative consequences (Article 83.2.f) GDPR) — The Disputes Chamber determines that the defendant, by letter dated April 27, 2021 from the DPO of B ISNODE BELGIUM addressed to the Inspector General, in an early phase of the procedure has made known its position on the complaints of the complainants. Also the Disputes Chamber acknowledges the goodwill of the defendant in the investigation handed over extensive policy documents to the Inspection Service and expressed its willingness to answer further questions from the Inspection Service. 242. Other aggravating circumstances (Article 83.2.k) GDPR) — The Disputes Chamber holds first take into account the fact that the defendant made a profit arising from the unlawful processing, as an aggravating circumstance. The argument of the defendant that the Disputes Chamber would not take into account the business loss of Decision on the merits 07/2024 - 103/114 B LACK TIGER BELGIUM in 2022, following the discontinuation of the Data Delivery activities, is not sufficient in this regard because the adjusted starting amount is already sufficient takes into account the operating loss suffered in 2022. In addition, the Disputes Chamber notes that the defendant both in his written defense and during the hearing has maintained the position that B LACK TIGER BELGIUM was in no way forced to to inform data subjects directly and individually about the processing, although Article 14 GDPR prescribes that communications to data subjects are subject to the responsibility of the controller and in principle proactive must be done. Decision of the Disputes Chamber with regard to the first conduct 243. All of the elements set out above justify an effective, proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account the assessment criteria specified therein. The Disputes Chamber will set the right order for this that the other criteria of Article 83.2 GDPR in this case are not of such a nature that they would lead to a different administrative fine than that imposed by the Disputes Chamber framework of this decision. 244. In view of the previous assessment of the relevant documents as well as the circumstances specific to this case, the Disputes Chamber deems it appropriate, pursuant to Article 58.2.i)GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR to impose an administrative fine of EUR 129,500 on the defendant. 245. The Disputes Chamber rules that the defendant's serious negligence personal data of complainants and other involved parties has been processed for years has commercialized without respecting the core principles of the GDPR, and in particular, information and transparency obligations are imposed on data subjects appropriate manner should be punished with an administrative fine. In addition, the further processing of personal data must be carried out without proactive measures individual information provision to those involved should be vigorously discouraged. Finally, the Disputes Chamber is of the opinion that the amount of the fine is, by the way remains well below the maximum amount within the permitted range, is proportional to the seriousness of the infringements contained in the first conduct. Decision on the merits 07/2024 - 104/114 III.2.2.3. Second conduct — Failure to act appropriately the requests from data subjects to exercise their right of access Categorization in the abstract of the violation under Article 83.4 to 83.6 GDPR 246. The Disputes Chamber recalls that the right of access is in addition to Article 15 GDPR is included in Article 8.2 of the European Charter and is therefore one of the constitutes core elements of the fundamental right to data protection. By following omit to cite all sources to the complainant, the defendant has committed an infringement committed under Article 15 GDPR. It is also established that the defendant in this case deliberately acted failed to process the requests for access, which were nevertheless submitted electronically, also to be answered electronically, in violation of Article 12 in conjunction with 15 GDPR. Naturally, Article 15 GDPR must be read in conjunction with Article 12 GDPR, whereby the controller can exercise rights under the GDPR those involved must facilitate. Finally, the Disputes Chamber rules that the defendant has also violated Article 15 GDPR by merely specifying the categories of recipients in the response to the complainants, notwithstanding the defendant was then able to identify the specific recipients. 247. For a violation of the rights of data subjects in accordance with Articles 12 and 15 GDPR, the Disputes Chamber may, on the basis of Article 83.5.a) and 83.5.b) GDPR, issue a impose an administrative fine of up to EUR 20,000,000 or, for a company, up to 4% of the total worldwide annual turnover in the previous financial year, if this figure is higher. A violation of the aforementioned provisions therefore results in accordance with Article 83.5 GDPR lead to the highest fines. Seriousness of the violations in the case at hand 248. In accordance with the GDPR, as explained in the EDPB Guidelines, the supervisory authorities should take due account of the nature, the seriousness duration of the violation, taking into account the nature, scope or purpose of the violation relevant data processing, as well as the number of data subjects involved affected and the extent of the damage suffered by them (Article 83.2.a) GDPR); It intentional or negligent nature of the infringement (Article 83.2.b) GDPR); and the categories of personal data to which the infringement relates (Article 83.2.g) GDPR). 249. Nature, severity and duration of the violation (Article 83.2.a)GDPR) - The right of access constitutes the gateway and therefore also the cornerstone for the exercise of other rights provided by the GDPR, such as the right to object to the processing of personal data (Article 21 GDPR) and the so-called right to be forgotten (Article 17 Decision on the merits 07/2024 - 105/114 GDPR). It is therefore extremely important that data subjects exercise their right of access to actually obtain access to all data relating to them collected by the controller, as well as concise, transparent and receive understandable information about the circumstances in which their personal data are processed. By not providing complete and sufficiently detailed information to the data subjects, the controller deprives them of the ability to exercise an appropriate degree of control over their own personal data. In addition, the complainant rightly notes that the failure to comply immediately after the first request to provide relevant information, the further exercise of their rights by the unnecessarily complicates those involved. Although the Disputes Chamber determines that the defendant has responded to the requests in a timely manner, the fact that the defendant has provided bears responsibility answers were not complete from the start and that it was not for those involved was easy to respond to — e.g., in order to verify the information provided dispute or request further explanation — contributes to unnecessary harm to those involved were prevented from exercising their rights. 257 250. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) — With regard to the manner in which the defendant in this case granted those involved access to the data processing of their personal data, and in particular by only the categories of recipients although the defendant has the specific identity of these recipients must have; by not communicating the sources in an exhaustive manner; and by delivering the responses by post even though the requests became electronic submitted, the Disputes Chamber considers it sufficiently proven that the defendant has violated the articles 12 and 15 GDPR due to serious negligence. 251. Categories of personal data affected by the breach (Article 83.2.g) GDPR) — As established earlier in this decision, the disputed processing operations were successful in addition to the contact details of those involved, also on various personal data with which the data subjects can subsequently be segmented for direct marketing purposes related purposes. The nature of the personal data processed therefore includes different categories, including financial information (average income), housing, family composition, as well as socio-demographic and lifestyle data such as the social class to which those involved belong. Although such data are primafacie not of a sensitive or special nature, the Disputes Chamber rules that they nevertheless belong to categories of 25See edge no. 231 in this decision for a detailed explanation of the distinction between negligence and intent. Decision on the merits 07/2024 - 106/114 personal data that data subjects would generally not reasonably expect that they are collected indirectly from and subsequently processed by third parties. Categorization in concrete terms of the seriousness of the violations and determination of the correct starting amount based on the annual turnover of the controller 252. Based on the evaluation of the criteria set out above, the infringement is deemed of low, medium or high severity. These categories do not detract from ask whether or not a fine can be imposed. ▪ When calculating the administrative fine for minor infringements severity, the supervisory authority will set the basic amount for further calculation set at an amount between 0 and 10% of the applicable legal amount maximum. ▪ When calculating the administrative fine for infringements of medium severity, the supervisory authority will determine the starting amount further calculation determine an amount between 10 and 20% of the applicable legal maximum. ▪ When calculating the administrative fine for infringements with a high severity level, the supervisory authority will determine the starting amount for further set the calculation at an amount between 20 and 100% of the applicable amount legal maximum 258. 253. In this case, the Disputes Chamber rules that the violations are related to the law access by data subjects (Article 15 GDPR), are of medium seriousness. The Disputes Chamber therefore serves for violations related to the second conduct (falling under Article 83.5 GDPR, with a medium degree of seriousness) a theoretical starting amount for the further calculation of the administrative fine between EUR 2,000,000 and EUR 4,000,000. 254. Relying on the foregoing assessment of the circumstances in the light of Article 83.2.a), b) eng) GDPR59, the Dispute Chamber decides to set a theoretical starting amount of EUR 2,800,000 to be taken into account. 255. Taking into account the minimum and maximum amounts set in the directives per level, on the one hand, and the relevant annual turnover of the controller, on the other hand, the Dispute Chamber decides in concrete terms to set the final starting amount for 25EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 60. 25See marginal nos. 230 up to and including 232 in this decision. Decision on the merits 07/2024 - 107/114 the second category of infringements (falling under Article 83.5 GDPR, with medium 260 severity level) to an adjusted starting amount of EUR 51,800. Aggravating and mitigating factors 256. After assessing the nature and severity of the infringement, as well as the intentional or negligent nature of the infringement and the categories of personal data involved, the supervisory authority shall also take into account the remaining aggravating and mitigating factors, as listed under Article 83.2 GDPR. 257. Extent to which the defendant is responsible in view of the technical and organizational aspects measures it has implemented in accordance with Article 25 (Article 83.2.d) GDPR) — It is established before the Dispute Chamber, and is not disputed by the defendant, that BLACK T IGERB ELGIUM is fully responsible for the management of the website, including the online contact form with which data subjects exercise their rights can exercise with regard to the defendant, as well as the manner in which the requests from those involved are granted, if necessary. 258. Other mitigating circumstances (Article 83.2.k) GDPR) — The Disputes Chamber states established that the defendant offers a centralized contact form on its website, with which data subjects request to exercise their rights under the GDPR can submit. This shows that the defendant fully intends to have the submission of 261 to facilitate requests by those involved. Furthermore, the Disputes Chamber is of the opinion that every controller must always: is obliged to communicate all specific information to those involved who require it questions in the context of their request for access. However, the Disputes Chamber is of the opinion aware that the CJEU only confirmed the disputed facts under what circumstances controller and the exact identity or categories of recipients must be communicated. Finally, the Dispute Chamber decides to evaluate the efforts of the defendant, i.e., the fact that the defendant actually — but not completely nor in a common electronic format form — and has responded in a timely manner to the requests for access 262 to take . 259. Other aggravating circumstances (Article 83.2.k) GDPR) — The foregoing means that the defendant also determines which personal data, in this case identification and contact details are collected and include both the means and purposes of the 26EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 65. 261 Response from the defendant to the sanction form dated November 24, 2023, p. 2, (ii). 26Ibid. Decision on the merits 07/2024 - 108/114 processing. However, the Disputes Chamber notes that the defendant is in addition to postal address of data subjects also collects their electronic contact details, notwithstanding that the defendant consciously opted to send the requests exclusively by post to answer. Thus, the defendant violates the principle of minimum data processing under Article 5.1.c) GDPR as well as the principle of data protection by design provided for in Article 25 GDPR. Since this observation however, was not subjected to adversarial debate in the context of the proceedings grounds, the Disputes Chamber decides not to pay the adjusted starting amount to increase. Decision of the Disputes Chamber with regard to the second conduct 260. All of the elements set out above justify an effective, proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account the assessment criteria specified therein. The Disputes Chamber will set the right order for this that the other criteria of Article 83.2 GDPR in this case are not of such a nature that they would lead to a different administrative fine than that imposed by the Disputes Chamber framework of this decision. 261. In view of the previous assessment of the relevant documents as well as the circumstances specific to this case, the Disputes Chamber deems it appropriate, pursuant to Article 58.2.i)GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR to impose an administrative fine of EUR 41,440 on the defendant. 262. The Disputes Chamber considers it justified, in view of the specific circumstances as well as the conscious choice of the defendant regarding the manner in which requests from those involved have been processed, to impose an administrative fine with the aim of appropriately sanctioning this behavior and in order to to encourage the defendant to request the exercise of rights granted under the GDPR, no longer to comply in such a manner in the future. The Dispute Chamber is also believes that the amount of this fine, which is well below the maximum amount remains within the permitted range is proportional to the severity of the infringements contained in the second conduct. Decision on the merits 07/2024 - 109/114 III.2.2.4. Third conduct — Failure to provide a description of the categories of data subjects and the categories of personal data, as well as to identity of the controllers for whom the defendant is considered processor acts, to be included in the processing register Categorization in the abstract of the violation under Article 83.4 to 83.6 GDPR 263. The Disputes Chamber establishes that the defendant has failed to add: of the categories of data subjects and of the personal data processed to include a description of these categories in its register of processing activities, as expressly prescribed in Article 30 GDPR. In addition, the defendant violated Article 30 GDPR by failing to disclose the identity of controllers, for whom the defendant acts as processor document in the centralized processing register. In this regard, the Dispute Chamber reminds that the register of processing activities is an essential and central file, that every controller who is obliged to do so under Article 30 GDPR must be drawn up and supplemented in an appropriate manner and upon request must be able to submit to the supervisor. This is why the EU The legislature has expressly provided for the possibility of imposing a fine for failure to comply with the aforementioned provision, contrary to other policy documents which rather fall under Article 24GDPR, for which no penalty is provided for Article 83.4 GDPR nor Article 83.5 GDPR. 264. For a breach of the obligations of the controller and the processor in accordance with Article 30 GDPR, the Disputes Chamber may, on the basis of Article 83.4.a) GDPR impose an administrative fine up to EUR 10,000,000 or, for a company, up to 2% of the total worldwide annual turnover in the foregoing financial year if that figure is higher. Seriousness of the violations in the case at hand 265. In accordance with the guidelines of the EDPB and the GDPR, the supervisory authorities should authorities to take due account of the nature, severity and duration of the violation, taking into account the nature, extent or purpose of the violation in question data processing, as well as the number of data subjects affected and the extent of the damage suffered by them (Article 83.2.a) GDPR); the intentional or negligent nature of the infringement (Article 83.2.b) GDPR); and the categories of personal data to which the infringement relates (Article 83.2.g) GDPR). Decision on the merits 07/2024 - 110/114 266. Nature, severity and duration of the violation (Article 83.2.a) GDPR) — The Disputes Chamber rejects points out that, in order to effectively implement the obligations contained in the GDPR, the It is essential that the controller and processors are complete and maintain an accurate overview of the processing of personal data that they to carry out. This register is therefore primarily an instrument to to assist the controller or processor in complying with the GDPR for the various data processing operations that it carries out because the register is the most important makes its features visible. The Disputes Chamber is of the opinion that this processing register is an essential instrument in the context of the already mentioned accountability (Article 5.2 GDPR and Article 24 GDPR) and that this register is the basis is subject to all obligations that the GDPR places on the controller and processor imposes. It is therefore extremely important that this is complete and correct. 267. Negligence or intentional nature of the infringement (Article 83.2.b) GDPR) 263—In the present case, the Disputes Chamber rules that the infringement of Article 30 GDPR is due to a serious negligence on the part of the controller, given the nature of the core activities of the defendant as well as the statements made by the defendant activities are in accordance with the GDPR. Categorization in concrete terms of the seriousness of the violations and determination of the correct starting amount based on the annual turnover of the controller 268. Based on the evaluation of the criteria set out above, the infringement is deemed of low, medium or high severity. These categories do not detract from ask whether or not a fine can be imposed. ▪ When calculating the administrative fine for minor infringements severity, the supervisory authority will set the basic amount for further calculation set at an amount between 0 and 10% of the applicable legal amount maximum. ▪ When calculating the administrative fine for infringements of medium severity, the supervisory authority will determine the starting amount further calculation determine an amount between 10 and 20% of the applicable legal maximum. ▪ When calculating the administrative fine for infringements with a high severity level, the supervisory authority will determine the starting amount for further 26See edge no. 231 in this decision for a detailed explanation of the distinction between negligence and intent. Decision on the merits 07/2024 - 111/114 set the calculation at an amount between 20 and 100% of the applicable amount 264 legal maximum . 269. In this case, the Disputes Chamber rules that the violation regarding the register of processing activities (Article 30 GDPR) is of low severity. The Dispute Chamber serves therefore for the violations related to the third conduct (falling under Article 83.4 GDPR, with a low degree of severity) a theoretical starting amount for the further calculation of the administrative fine of a maximum of EUR 1,000,000. 270. Relying on the foregoing assessment of the circumstances in the light of Article 83.2.a), b) eng) GDPR26, the Disputes Chamber decides to set a theoretical starting amount of EUR 200,000 to be taken into account. 271. Taking into account the minimum and maximum amounts set in the directives per level, on the one hand, and the relevant annual turnover of the controller, on the other hand, the Dispute Chamber decides in concrete terms to set the final starting amount for the third category of infringements (falling under Article 83.4 GDPR, with a low degree of severity) 266 to be reduced to an adjusted starting amount of EUR 3,700. Aggravating and mitigating factors 272. After assessing the nature and severity of the infringement, as well as the intentional or negligent nature of the infringement and the categories of personal data involved, the supervisory authority shall also take into account the remaining aggravating and mitigating factors, as listed under Article 83.2 GDPR. Given the specific nature of this violation, and in the absence of any comments In this regard, on behalf of the defendant, the Disputes Chamber will not take any further aggravating action or mitigating circumstances into account. Decision of the Disputes Chamber with regard to the third conduct 273. All of the elements set out above justify an effective, proportionate and dissuasive penalty referred to in Article 83 GDPR, taking into account the assessment criteria specified therein. The Disputes Chamber will set the right order for this that the other criteria of Article 83.2 GDPR in this case are not of such a nature that they would lead to a different administrative fine than that imposed by the Disputes Chamber framework of this decision. 26EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 60. 265 See edge nos. 230 up to and including 232 in this decision. 26EDPB – Guidelines 04/2022 on the calculation of administrative fines under the GDPR (v2.0, May 24, 2023), edge no. 65. Decision on the merits 07/2024 - 112/114 274. In view of the previous assessment of the relevant documents as well as the circumstances specific to this case, the Disputes Chamber deems it appropriate, pursuant to Article 58.2.i)GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR to impose an administrative fine of EUR 3,700 on the defendant for the violation of Article 30 GDPR for failure to keep an exhaustive and sufficiently detailed register of processing activities. III.3.Other grievances 275. The Disputes Chamber decides to consider the other grievances and findings of the Inspection Service267, as the Disputes Chamber based on the facts documents from the file cannot lead to the conclusion that there has been an infringement the GDPR. These grievances and findings by the Inspection Service are therefore regarded as: considered manifestly unfounded within the meaning of Article 57.4 of the GDPR26. IV. Publication of the decision 276. Considering the importance of transparency with regard to the decision-making of the Dispute Chamber, this decision will be published on the website of the Data protection authority indicating the identification details of the defendant, in view of the public interest of this decision, on the one hand, and the unavoidable re-identification of the defendant in case of pseudonymization, on the other hand. On the other hand, it is not necessary that the identification details of the complainants are included this publication will be announced. 26See marginal nos. 192, 196, 199 and 202 in this decision. 268 See point 3.1.A.2 of the Dismissal Chamber's dismissal policy dated June 18, which can be consulted via https://www.gegevensbeschermingsautoriteit.be/publications/sepotbeleid-van-de-geschikkamer.pdf. Decision on the merits 07/2024 - 113/114 FOR THESE REASONS , the Disputes Chamber of the Data Protection Authority decides, after deliberation, to: - Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 8° and 9° WOG, the to order the defendant to commit the violation of Article 5.1 GDPR, Article 6.1 GDPR, Article 12.1 GDPR, as well as Articles 14.1 and 14.2 GDPR, in the context of B2B Data Quality services, to terminate and to keep them terminated until the processing in is brought into compliance with the GDPR, through the processing of to enter personal data in the Spectron database before informing those involved of proactively and individually inform the defendant who has contact details of the processing of their personal data by the defendant. Hereby the defendant must also serve the persons involved for a period of three months from the date of information provision to object to the processing of their data in a simple and effective manner personal data before resuming processing. What the other categories of data subjects for whom the defendant has no contact details has, the Disputes Chamber decides, in the absence of a lawful processing ground, to permanently prohibit the processing of their data. - Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the defendant order to commit the violation of articles 5.1 and 5.2 GDPR, article 24.1 GDPR as well as Articles 25.1 and 25.2 GDPR by appropriate technical and to take organizational measures to ensure that the retention period of the personal data — which the defendant may only further process on condition that the previous order has been complied with - is proportionate to the purposes of the processing, and so that the defendant can, in the context of his current Data Quality services only maintain the most current personal data data subjects, as required by the principle of data minimization. In addition, the Disputes Chamber orders the defendant to submit the current documentation in connection with the processing of data and compliance with the GDPR fill or adjust to take into account the actual data circumstances in which the defendant processes data accountability imposed on the defendant. Decision on the merits 07/2024 - 114/114 - Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the defendant order to remedy the violation of Article 30.1.c) GDPR as well as Article 30.2 GDPR remedy by supplementing the register of processing activities with a clear description of the categories of personal data and of data subjects, as well as by all controllers on behalf of which the defendant believes to act as processor. - Pursuant to Article 58.2.d) GDPR as well as Article 100, § 1, 9° WOG, the defendant order within a period of three months after notification of the decision provides evidence of the achievement of the aforementioned compliance measures to be submitted to the Disputes Chamber. - Pursuant to Article 58.2.i) GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR, an administrative fine amounting to: EUR 129,500 to be imposed on the defendant for the violation of Article 5 of the GDPR; Article 6 GDPR; Article 12 GDPR; Article 14 GDPR; Article 24 GDPR and Article 25 GDPR. - Pursuant to Article 58.2.i) GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG, an administrative fine in accordance with Article 83.2 GDPR of EUR 41,440 to be imposed on the defendant for the violation of Article 12 GDPR and Article 15 GDPR. - Pursuant to Article 58.2.i) GDPR as well as Articles 100, § 1, 13° WOG and 101 WOG, in accordance with Article 83.2 GDPR, an administrative fine amounting to: to impose EUR 3,700 on the defendant for the violation of Article 30 GDPR. This decision can be appealed on the basis of Article 108, § 1 WOG by registered letter within thirty days of the notification Marktenhof, with the Data Protection Authority as defendant. (get). Hielke IJMANS Chairman of the Disputes Chamber